WordPress powers millions of websites worldwide, but its popularity also makes it a prime target for hackers. Recently, security researchers uncovered a clever new tactic: attackers are hiding backdoors inside WordPress sites, disguised as normal plugins or core files.
These hidden files look innocent, but their real purpose is to give hackers permanent administrator access, even if other malware is found and removed.
Are you in need of a skilled WordPress developer to bring your website vision to life?
Look no further! Whether you need custom themes, plugin development, site optimization, or ongoing support, I offer expert WordPress development services to suit your needs.
What Was Found
During the cleanup of a compromised WordPress site, two malicious files were discovered:
1. A Fake Plugin Called DebugMaster Pro
- Location:
./wp-content/plugins/DebugMaster/DebugMaster.php - At first glance, this file looked like a regular plugin. It even included developer-style comments and plugin details to appear authentic.
- But inside, the code was heavily scrambled (obfuscated) to hide its true function.
What it really did:
- Created a secret admin user with a fixed username and password.
- Hid this account from the WordPress user list.
- Disappeared from the plugin list so site owners wouldn’t see it.
- Sent the stolen login details to the hackers through an encoded connection.
- Injected malicious JavaScript into every visitor’s page, which could redirect users, display spam, or steal personal data.
Suggested Read: How to Add Extra Fees in WooCommerce (Without a Plugin)
2. A Fake WordPress Core File: wp-user.php
- Location: root folder of WordPress (
./wp-user.php). - This file pretended to be part of WordPress itself.
Its job was simple but powerful:
- Continuously checked if the secret admin account existed.
- If the account was missing, it recreated it instantly with the hacker’s password.
- Even if the site owner deleted or renamed the account, it came back immediately on the next page load.
How These Files Worked Together
- DebugMaster Pro acted as the stealthy backdoor. It created secret admins, hid itself, sent data to hackers, and injected harmful code into visitor pages.
- wp-user.php acted as the recovery tool. It kept restoring the hacker’s admin account so the site owner could never permanently delete it.
Together, they formed a two-layer persistence system, one for stealthy control, the other for brute-force account restoration.
Suggested Read: Partial COD (Cash on Delivery) in WooCommerce
Why These Backdoors Were So Effective
By combining these two files, hackers created a two-layer system:
- Stealth and control: The fake plugin secretly created admin accounts, sent credentials to attackers, and injected harmful scripts.
- Persistence: The fake core file made sure the hacker’s account could never be permanently deleted.
This meant hackers could keep control of the site indefinitely, unless the malicious files themselves were found and removed.
The attackers also used smart tricks to stay hidden:
- Obfuscated (scrambled) code to bypass scanners.
- WordPress hooks to hide from the dashboard.
- Familiar names and structures to look like real plugins or system files.
What This Means for WordPress Site Owners
This case shows how sophisticated WordPress malware has become. Attackers no longer rely on obvious spam or clunky hacks. Instead, they blend into the site, making it hard to tell what’s real and what’s fake.
For site owners, the danger is clear: you may think you’ve cleaned your site, but hidden backdoors can keep hackers inside.
How to Protect Your WordPress Site
Here are some practical steps every WordPress site owner should take:
1. Audit your files regularly
- Check
wp-content/plugins,wp-content/mu-plugins, and your WordPress root folder for unknown files.
2. Review admin accounts often
- If you see unfamiliar admin users, investigate immediately.
3. Enable file integrity monitoring
- Use security plugins or external tools that alert you when files change.
4. Keep WordPress up to date
- Always update core, plugins, and themes to the latest versions.
5. Use a Web Application Firewall (WAF)
- Services like Cloudflare or Sucuri can block many common attacks.
6. Strengthen logins
- Use strong passwords and enable two-factor authentication (2FA).
7. Have clean backups ready
- Store backups off-site so you can restore your site if it’s compromised.
Final Thoughts
The discovery of these backdoors shows just how far hackers will go to stay hidden. A fake plugin and a fake system file worked together to guarantee ongoing admin control of the site, no matter what the owner did.
For WordPress users, the lesson is simple:
- Don’t just clean obvious malware.
- Look deeper for hidden backdoors.
- Stay proactive with security checks, updates, and monitoring.
By taking regular precautions, you can stop hackers from turning your website into their playground.
Also Read: WooCommerce vs Shopify: Which One to Choose for 2025?
Pradeep Maurya is the Professional Web Developer & Designer and the Founder of “Tutorials website”. He lives in Delhi and loves to be a self-dependent person. As an owner, he is trying his best to improve this platform day by day. His passion, dedication and quick decision making ability to stand apart from others. He’s an avid blogger and writes on the publications like Dzone, e27.co