<< back

Hidden backdoors creating WordPress admin accounts

We’re seeing a wave of stealthy backdoors on compromised WordPress websites that quietly create administrator users and keep them there. Even if you delete the rogue account, the malware simply brings it back. Here’s what non-technical site owners need to know — and how to protect your business.


What’s going on?

During a recent cleanup, analysts uncovered two malicious files working together to guarantee ongoing access for attackers:

  • A fake plugin disguised as “DebugMaster Pro” in /wp-content/plugins/DebugMaster/DebugMaster.php.
  • A backdoor script dropped in the site root as /wp-user.php.

Both were engineered to ensure a hidden administrator user exists at all times, giving criminals full control of the website.


How the backdoors work (in plain English)


1) The fake “DebugMaster Pro” plugin

This file masquerades as a legitimate developer tool but behaves like a backdoor. It:

  • Creates a secret admin account (for example, a user called help with administrator privileges).
  • Hides itself from normal plugin lists and filters queries so the rogue user is harder to spot.
  • Phones home to an attacker-controlled server, sending the newly created username, password and site details.
  • Injects external scripts for visitors while excluding admins or whitelisted IPs — a common way to deliver spam, redirects or further malware without tipping off site owners.


2) The wp-user.php backdoor

This simpler script’s job is persistence. It checks whether the target admin username exists and:

  • If found: deletes it and recreates it with the attacker’s chosen password (so changing the password won’t help).
  • If missing: creates the admin user from scratch.

Together, these files guarantee the attacker has an always-on route back into your dashboard.

Why this matters for your business

  • Trust & brand damage: Hidden admins can alter content, inject spam or send visitors to harmful sites.
  • SEO and conversions: Search engines can flag or demote compromised sites, reducing traffic and enquiries.
  • Compliance risk: Exfiltrated credentials and user data can create GDPR headaches.
  • Recovery costs: Reinfections are common if persistence isn’t removed properly, increasing downtime and expense.

Warning signs

  • Unrecognised files or plugins, especially:
    • /wp-content/plugins/DebugMaster/DebugMaster.php
    • /wp-user.php in the site root
  • New or hidden administrator users appearing in WordPress.
  • Deleted admin accounts reappearing after removal.
  • Unexpected redirects, spam pop-ups or complaints from visitors.

Prevention and resolution

If you suspect a compromise, act methodically to avoid tipping off the attacker or leaving persistence in place.

  1. Take a secure backup first (files and database) for forensics and rollback.
  2. Remove malicious files:
    • Delete the DebugMaster plugin directory.
    • Delete /wp-user.php from the site root.
  3. Audit WordPress users:
    • Remove the suspicious admin (e.g. help), and check for unknown administrators.
    • Review who can install plugins and manage users.
  4. Reset credentials across the board:
    • WordPress admin accounts, hosting panel, SFTP/SSH and database passwords.
    • Rotate API keys and application passwords where used.
  5. Update everything:
    • Apply the latest WordPress core, plugin and theme updates (managed updates reduce gaps).
  6. Review logs & outbound traffic:
    • Look for calls to unknown domains and unusual admin activity.
  7. Harden your site:
    • Install a Web Application Firewall (WAF) to block malicious requests.
    • Limit admin accounts, enforce strong passwords and multi-factor authentication.
    • Disable file editing in wp-admin and restrict plugin installation to trusted users.
  8. Monitor continuously:
    • Use security monitoring and alerts to catch suspicious changes early.

Key takeaways

  • Backdoors are designed for persistence. Deleting a rogue user isn’t enough if a script can recreate it.
  • Combine malware removal with hardening, a WAF and security monitoring to prevent reinfection.
  • Well-run website maintenance — managed updates, backups and regular checks — is your best defence.

How matm can help?

  • Managed WordPress, plugin & theme updates
  • Security monitoring and WAF setup
  • Regular backups & fast site recovery
  • Malware removal and emergency response

If you’ve spotted any of the warning signs or just want peace of mind, get in touch at [email protected] or call 01952 883 526.

Attribution: Based on research by Sucuri.