Threat Research

Malicious WordPress Plugin Creates Hidden Admin User Backdoor

Sucuri
Malicious WordPress Plugin Creates Hidden Admin User Backdoor

A malicious WordPress plugin named php-ini.php was found creating a hidden admin user on infected websites, activated only via a specific URL parameter. The attackers used a simplistic approach by replacing legitimate plugin files and hardcoding the admin account, making detection easier. #php-iniphp #mr_administartor

Keypoints

  • A suspicious plugin named php-ini.php was discovered in the WordPress plugin directory, containing a single file with inconsistent author and description information.
  • The malware activates only when a specific URL parameter (?5394552785=SECURITY_DB) is present to stealthily create a malicious admin user.
  • The attackers copied and replaced legitimate plugin content with minimal malicious code, forgoing advanced concealment techniques.
  • The malicious admin user created is named “mr_administartor” with a hardcoded password and administrative privileges.
  • Outdated WordPress core files were referenced to ensure compatibility across different WordPress versions.
  • Removal involved deleting the plugin and the unauthorized admin account, emphasizing the need to audit FTP/sFTP and WordPress admin accounts regularly.
  • Recommendations include changing passwords frequently, applying IP restrictions, enabling two-factor authentication, and using security plugins like Sucuri for regular scans.

MITRE Techniques

  • [T1221] Template Injection – The malicious plugin code injects a function via the addaction() hook in wphead to execute the payload. (‘add_action() is a core WordPress function that launches specific code…’)
  • [T1078] Valid Accounts – The malware creates a hidden administrator account “mradministartor” with a hardcoded password. (‘The code then checks for the existence of the mradministartor and if that user doesn’t exist, proceeds to create a user…’)
  • [T1105] Ingress Tool Transfer – Potential uploading of the malicious plugin via compromised FTP/sFTP or admin panel accounts. (‘There is a chance the attackers compromised an FTP or sFTP account to upload that directly to the server…’)

Indicators of Compromise

  • [File Name] Malicious plugin – php-ini.php located in wp-content/plugins directory.
  • [Account Name] Malicious WordPress admin user – mr_administartor with administrator privileges.
  • [URL Parameter] Trigger for malware activation – ?5394552785=SECURITY_DB

Read more: https://blog.sucuri.net/2025/06/malicious-wordpress-plugin-creates-hidden-admin-user-backdoor.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint