(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Malicious WordPress Plugin Creates Hidden Admin User Backdoor

* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Malicious WordPress Plugin Creates Hidden Admin User Backdoor=============================================================![](https://secure.gravatar.com/avatar/067bd4ee574f53bb79d411d83b5cc84ea794c798f945cb84a001cbe05fee65df?s=60&d=mm&r=g) [Matt Morrow](https://blog.sucuri.net/author/matt-morrow)* June 20, 2025 ![Malicious WordPress Plugin Creates Hidden Admin User Backdoor](https://blog.sucuri.net/wp-content/uploads/2025/06/Fake-Admin-Plugin-820×385.png) I recently [wrote about a case](https://blog.sucuri.net/2025/06/fake-wordpress-caching-plugin-used-to-steal-admin-credentials.html) where a malicious plugin was used to steal admin credentials. Here we will examine yet another malicious plugin that creates a malicious admin user right in the website.Examining the malware=====================While examining the site, we noticed a plugin located at wp-content/plugins labeled **php-ini.php** . This is strange since directories generally don’t contain extensions, especially one like **.php** since those are reserves for files. The plugin contained one file, also named **php-ini.php**. Upon checking the plugin file, we immediately noticed that the plugin description and author did not match the plugin name.![suspicious plugin file](https://blog.sucuri.net/wp-content/uploads/2025/06/suspicious-plugin-file-scaled.png)While the plugin at **[wpforms.com](http://wpforms.com)** is a premium version, we can find a free version of the plugin in the [WordPress repositories](https://wordpress.org/plugins/wpforms-lite/). We can see from there that the official plugin contains much more content than a single file, including an appropriately named **wpforms.php**, which is standard for valid plugins. A common trend for bad actors is to copy real plugins and either insert malicious code or completely replace all of the PHP content with their own code so that it will be more difficult to identify fake or maliciously altered plugins.![wpforms files](https://blog.sucuri.net/wp-content/uploads/2025/06/wpforms-files.png)The attackers didn’t put much effort into this attack, they commented out the majority of the file and left their malware in just a few lines in the center of the file.![malware in the center](https://blog.sucuri.net/wp-content/uploads/2025/06/malware-in-the-center.png)Breaking it down================[**add_action()**](https://developer.wordpress.org/reference/functions/add_action/) is a core WordPress function that launches specific code or functionality at various points in the site. Because this is placed in a plugin, the action would be launched whenever the plugin is loaded, typically on every page. The call to **add_action()** here invokes the content located in the **SECURITYDB** function just below that line and places that in the header of the site — **wp_head**.The first line in the **SECURITYDB** function checks to see if the URL being called contains the parameter **?5394552785=SECURITY_DB**. In this way, the malicious admin user isn’t created every time the site loads but only when that specific URL is called. This condition may have been chosen to better hide the attacker’s intent — if the admin user is always present then a real admin user of the site may notice the new malicious user.Interestingly, we see the attackers included the core WordPress file **wp-includes/registration.php** . While the file still exists in current WordPress versions, the use of that file was deprecated in WordPress 3.0 with that functionality being moved to **wp-includes/user.php**. We can only guess the attackers called that file so that the malware will work regardless of which WordPress version is being attacked.The code then checks for the existence of the **mr_administartor** and if that user doesn’t exist, proceeds to create a user with a hard coded password and administrator privileges. It is somewhat humorous that the attackers misspelled **administrator** but this flows with their lack of any attempt to better hide the malware. This is probably one of the laziest attacks we’ve seen in a while. They didn’t even include any code to hide the plugin from the wp-admin plugins list.Cleaning Up===========This malware was straightforward to remediate, we just removed the plugin and deleted the malicious WordPress admin.Because this malware was included in a plugin, there is a chance the attackers compromised an FTP or sFTP account to upload that directly to the server though there is a possibility that was uploaded via the wp-admin panel using an existing WordPress admin account.It is important to always review any WordPress admin users, as well as FTP and sFTP accounts. Passwords for those accounts should be changed regularly, and IP restrictions should be placed on the FTP and sFTP services if possible.We also recommend implementing 2FA or IP restrictions on the wp-admin panel to prevent unwanted access there. This can be accomplished by [utilizing a Firewall](https://sucuri.net/website-firewall/).Additionally, a regular audit should be performed to confirm that the site is not using any unrecognized plugins. Tools like the [Sucuri plugin](https://wordpress.org/plugins/sucuri-scanner/) will scan the files and notify for any suspicious changes, and our [server-side scanner](https://docs.sucuri.net/website-monitoring/server-side-scanner/) will provide a history of any file changes.If you believe your site may have been hacked [we’re always here](https://sucuri.net/website-security-platform/help-now/) to take a look. ![](https://secure.gravatar.com/avatar/067bd4ee574f53bb79d411d83b5cc84ea794c798f945cb84a001cbe05fee65df?s=120&d=mm&r=g) ##### [Matt Morrow](https://blog.sucuri.net/author/matt-morrow)Matt is a Cyber Security analyst who joined Sucuri in 2018. Matt has a long history of working with Linux and Windows servers in a wide context. At Sucuri, Matt’s main responsibilities include identifying and removing malware from websites as well as researching emerging malware trends. When Matt isn’t focusing his attention there, you will usually find him working on a new piece of music or out in his garden.##### Related Tags* [Malware](https://blog.sucuri.net/tag/malware),* [Sucuri WordPress Plugin](https://blog.sucuri.net/tag/sucuri-wordpress-plugin),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [WordPress Security](https://blog.sucuri.net/tag/wordpress-security)##### Related Categories* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![mayhem malware server botnet blog header](https://blog.sucuri.net/wp-content/uploads/2017/10/10122017-mayhem-malware-server-botnet-continues-to-evolve_en-blog-390×183.jpg) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)[](https://blog.sucuri.net/2017/10/mayhem-malware-server-botnet-continues-to-evolve.html) [Mayhem Malware Server Botnet Continues to Evolve](https://blog.sucuri.net/2017/10/mayhem-malware-server-botnet-continues-to-evolve.html)—————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/d65547f3b779c832838a8a24f83314f96712f35cf5d87d947bf363f1e243023c?s=20&d=mm&r=g)Jose Martinez* October 12, 2017 Three years ago, researchers at Yandex discovered a complex server infection, dubbed Mayhem, that embeds itself deep within a system by compiling a shared object… [Read the Post](https://blog.sucuri.net/2017/10/mayhem-malware-server-botnet-continues-to-evolve.html) ![Sucuri WordPress Vulnerability Roundup May 2025](https://blog.sucuri.net/wp-content/uploads/2025/05/May-2025-390×183.jpg) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2025/05/vulnerability-patch-roundup-may-2025.html) [Vulnerability -& Patch Roundup — May 2025](https://blog.sucuri.net/2025/05/vulnerability-patch-roundup-may-2025.html)————————————————————————————————————————* ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-20×20.png)Sucuri Malware Research Team* May 30, 2025 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2025/05/vulnerability-patch-roundup-may-2025.html) ![Multiple Ways to Inject Tech Support Scams](https://blog.sucuri.net/wp-content/uploads/2018/10/10232018-multiple-ways-to-inject-the-same-tech-support-scam_en-blog-390×183.png) * [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/10/multiple-ways-to-inject-the-same-tech-support-scam-malware.html) [Multiple Ways to Inject the Same Tech Support Scam Malware](https://blog.sucuri.net/2018/10/multiple-ways-to-inject-the-same-tech-support-scam-malware.html)————————————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/292c42da0d9f929a9405e6ce269f101cc888f5c5cbcf8006e131c9bed042c80d?s=20&d=mm&r=g)Denis Sinegubko* October 23, 2018 Last month, we shared information about yet another series of ongoing massive infections using multiple different vectors to inject malicious scripts into WordPress websites. Shortly… [Read the Post](https://blog.sucuri.net/2018/10/multiple-ways-to-inject-the-same-tech-support-scam-malware.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og-servers2-390×205.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2019/10/plugins-added-to-malware-campaign-september-2019.html) [Plugins added to Malware Campaign: September 2019](https://blog.sucuri.net/2019/10/plugins-added-to-malware-campaign-september-2019.html)——————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/acdc15f160ef94b9c16d86e7ce7a1630d537ea0323a8bd6d1608a5ef3a0fa5e7?s=20&d=mm&r=g)John Castro* October 3, 2019 This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below: Multi-Vector Attack in… [Read the Post](https://blog.sucuri.net/2019/10/plugins-added-to-malware-campaign-september-2019.html) ![Sucuri WordPress Vulnerability Round-Up](https://blog.sucuri.net/wp-content/uploads/2024/07/July-2024-390×183.jpg) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html) [WordPress Vulnerability -& Patch Roundup July 2024](https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html)——————————————————————————————————————————————* ![](https://blog.sucuri.net/wp-content/uploads/2024/07/avatar_user_112_1721420180-20×20.png)Sucuri Malware Research Team* July 29, 2024 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-2024.html) ![Why Reinfections Happen with a WAF](https://blog.sucuri.net/wp-content/uploads/2019/10/10282019-Why_Reinfections_Happen_With_A_WAF_blog-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/11/why-reinfections-happen-with-a-waf.html) [Why Reinfections Happen with a WAF](https://blog.sucuri.net/2019/11/why-reinfections-happen-with-a-waf.html)————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/1c366df979e3ab3b3f9add08268c19141d3202ba8b885d1fcbfd106e7f2f7aba?s=20&d=mm&r=g)Luke Leal* November 11, 2019 A web application firewall (WAF) is a great way to detect and filter incoming malicious requests before they can exploit website vulnerabilities and security flaws…. [Read the Post](https://blog.sucuri.net/2019/11/why-reinfections-happen-with-a-waf.html) ![Navigating Data Responsibility](https://blog.sucuri.net/wp-content/uploads/2018/10/11212018-navigating-data-responsibility_blog-390×183.jpg) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2018/11/navigating-data-responsibility.html) [Navigating Data Responsibility](https://blog.sucuri.net/2018/11/navigating-data-responsibility.html)—————————————————————————————————–* ![](https://secure.gravatar.com/avatar/1547ecf08b9a87dd8f77ad581ee385c0dec3ac65bc681ae448fed58bafc60987?s=20&d=mm&r=g)Victor Santoyo* November 21, 2018 As we take a step back and think about how much the Internet has grown over the past 20 years, we realize how much content/data… [Read the Post](https://blog.sucuri.net/2018/11/navigating-data-responsibility.html) ![Personal Security Best Practices](https://blog.sucuri.net/wp-content/uploads/2018/10/10022018-top-10-owasp_blog-1-390×183.png) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2018/10/owasp-top-10-security-risks-part-i.html) [OWASP Top 10 Security Risks — Part I](https://blog.sucuri.net/2018/10/owasp-top-10-security-risks-part-i.html)—————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/2d13e7e687541acc7ed9f7f366d328ff98b76f1542f0bf16219bd6fd883f1990?s=20&d=mm&r=g)Gerson Ruiz* October 3, 2018 It is National Cyber Security Awareness Month and in order to bring awareness to what threatens the integrity of websites, we would like to start… [Read the Post](https://blog.sucuri.net/2018/10/owasp-top-10-security-risks-part-i.html) ![](https://blog.sucuri.net/wp-content/uploads/2017/08/08142017-EN-advanced-malware-decoding_blog-390×183.jpg) * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)[](https://blog.sucuri.net/2017/08/malware-decoding-step-step-guide.html) [Decoding Complex Malware — Step-by-Step](https://blog.sucuri.net/2017/08/malware-decoding-step-step-guide.html)—————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/aa2a114e9735d557ab333e681b289584237c72389e4967b25a7c41195184e52a?s=20&d=mm&r=g)Rodrigo Escobar* August 15, 2017 When cleaning websites, one of the most complicated parts of our job is ensuring we find all backdoors. Most of the time, attackers inject code… [Read the Post](https://blog.sucuri.net/2017/08/malware-decoding-step-step-guide.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2017/06/how-undefined-variables-can-give-you-rce.html) [How Undefined Variables Can Give You RCE](https://blog.sucuri.net/2017/06/how-undefined-variables-can-give-you-rce.html)————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/423a016fd850615125dde80911c97a577baf4990be9250b35c71085b651a6511?s=20&d=mm&r=g)Fernando Barbosa* June 5, 2017 When investigating a compromised website, our team has to make sure that all malware and backdoors are cleared from the environment. In some instances, these… [Read the Post](https://blog.sucuri.net/2017/06/how-undefined-variables-can-give-you-rce.html)

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 81 – Other Services (except Public Administration)

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

NAICS: 813 – Religious

Grantmaking

Civic

Professional Services

Similar Services

Denis

Blog: Sucuri

Impair Defenses: Disable or Modify System Firewall

Associated Indicators:

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us