Hackers Use Fake WordPress Plugin to Maintain Full Site Control

Researchers have found hackers exploiting WordPress sites through concealed backdoors, gaining full control, even when site owners try to remove them.

A recent investigation by Sucuri found that two files with malicious content were disguised as normal WordPress system components. One was a fake plugin called “DebugMaster Pro” (./wp-content/plugins/DebugMaster/DebugMaster.php). The other pretended to be a core file (./wp-user.php).

Both were designed to make sure attackers always had an administrator account on the site. The DebugMaster file contained advanced code as it created a secret admin user account. DebugMaster also remained invisible to plugin lists while sending stolen login information to a remote server.

As the report explained: “This snippet forces WordPress to create a new user named help with the role of administrator. If the user already exists, the script ensures it has administrator privileges restored.”

The stolen details, including username and password, were encoded and sent to a hacker-controlled website. The malware performed harmful scripts on the website during its operation to locate the IP addresses of website administrators.

The wp-user.php file presented a straightforward yet concerning situation. The system maintained an admin account named “help” which used a fixed password. Even if a site owner deleted this account, the file would instantly recreate it.

The researchers explained that warning signs of this infection include strange files like ‘DebugMaster.php’ or ‘wp-user.php,’ new or hidden administrator accounts, and deleted accounts coming back.

The solution to this problem involves removing harmful files, and suspicious accounts. Users are also advised to reset all passwords and update WordPress, plugins, and check server logs for unusual connections.

Researchers said the two files “created a resilient foothold on the website,” meaning attackers could easily return unless the site was fully cleaned and secured.