Gain Admin Access with WordPress Backdoor

While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.

Once the WordPress backdoor is triggered, a new WordPress user with Administrator role is automatically created on the customer’s WordPress website, which a malicious user can use to regain access to someone’s WordPress installation any time he or she wants. In this post we will have a look at this WordPress backdoor’s code and explain how it works.

Note: This post is for educational and learning purposes ONLY. In fact we DO NOT recommend anyone to use such a backdoor in his or her WordPress installation.

WordPress Backdoor

The WordPress backdoor is listed in the below example. It is a simple PHP function that can be added to the WordPress theme’s functions.php file.

The backdoor can be triggered by accessing the URL https://www.wpwhitesecurity.com?backdoor=go (if installed on www.WP White Security.com (this is a NON working example)).

How Does the WordPress Password Backdoor Work?

Using the above example, once the WordPress backdoor is triggered a new WordPress administrator account is created with the following credentails:

User:  backdooradmin
Password: Pa55W0rd

Using the WordPress Backdoor

If you would like to use the above WordPress backdoor for whatever reason you might have, use a different URL (by changing the GET variable and value on line 5) from the one specified in the above exampled. Also use a strong username and password (specified on line 8).

WP White Security Tip: We DO NOT recommend you to use such WordPress backdoor. This information in this post should only be used for educational and learning purposes.

Please note that by posting information about this WordPress backdoor online, we are not exposing anything malicious. For someone to create such backdoor, he or she would need FTP access to your WordPress website. If someone manages to gain FTP access to your WordPress website, there are many other things you should worry about rather than this WordPress backdoor.

If you would like to make a WordPress Security Audit, harden the security of your WordPress installation or need any type of WordPress professional support, drop us an email on support@wpwhitesecurity.com.

This content was originally published here.