WP-Compat Plugin: The Hidden Backdoor in Your WordPress Site

Published on 10/28/2025
MD Pabel
Read with ChatGPT

Warning: If you see a plugin called “WP Compatibility Patch” on your WordPress site, your website has been hacked. This fake plugin creates hidden admin accounts and gives hackers full control of your website.

What is WP-Compat?

WP-Compat is malware disguised as a real WordPress plugin. It pretends to fix compatibility problems with WordPress and PHP. But this is a lie. The plugin does nothing good. It only helps hackers steal your website.

The plugin looks real because it uses a fake author name: “WP Core Contributors”. This tricks website owners into thinking it’s an official WordPress tool.

Where to Find This Malware

  • Location: /wp-content/plugins/wp-compat/wp-compat.php
  • Plugin name: WP Compatibility Patch
  • Fake author: WP Core Contributors

How This Malware Works

Creates a Secret Admin Account

The wp-compat malware creates a hidden administrator account every time your website loads. Here’s what it creates:

  • Username: adminbackup
  • Password: 0m58scqdh3
  • Email: adminbackup@wordpress.org
  • Access level: Full admin control

If you delete this account, the malware brings it back automatically. This happens because the code checks for the account every time someone visits your site.

Hides Itself From You

The malware uses smart tricks to stay hidden:

  • You can’t see the plugin: It removes itself from your WordPress plugins page. When you check your installed plugins, wp-compat won’t show up.
  • You can’t see the fake admin: The hidden admin account doesn’t appear in your Users list. The malware changes how WordPress shows users.
  • You can’t edit or delete it: If you find the fake admin account and try to delete it, WordPress shows an error: “Invalid user ID”.
  • The user count looks normal: Your WordPress admin shows the wrong number of total users. The malware subtracts one from the count to hide the extra account.

Stores Information in Your Database

The malware saves the hacker’s user ID in your WordPress database. It creates an entry called _pre_user_id in the wp_options table. This helps the malware remember the fake admin account even if you:

  • Change all passwords
  • Delete suspicious files
  • Update WordPress
  • Clean your site with security plugins

This is why wp-compat is very hard to remove completely.

Verification System

The malware includes a check system using browser cookies. Hackers can send a special cookie called WORDPRESS_ADMIN_USER. If the fake admin exists, the site responds: “WP ADMIN USER EXISTS.” This lets hackers quickly test if their malware still works without logging in.

How Hackers Install This Plugin

The wp-compat plugin doesn’t install by itself. Hackers have to upload it first. Here’s how they get in:

Weak Passwords

Most of the WordPress hacks happen because of weak passwords. Hackers use stolen login info or guess simple passwords. Always use:

  • Long passwords (at least 12 characters)
  • Mix of uppercase, lowercase, numbers, and symbols
  • Different passwords for each site
  • A password manager to remember them

Outdated Plugins

Old plugins often have security holes. 52% of infected sites have outdated software. Hackers exploit these to upload fake plugins like wp-compat, create admin accounts, and control your site.

Stolen FTP Access

If hackers steal your FTP, SFTP, or hosting login, they can upload files directly. They don’t need to use WordPress.

Vulnerable Themes

Old or poorly coded themes can also be weak points that hackers use to upload malicious files.

Why WP-Compat is Very Dangerous

Hard to Remove

Simple deletion of the plugin folder isn’t enough. The malware keeps coming back because of the database entry _pre_user_id. You must clean both files and database to fully remove it.

Security Tools Miss It

Many security plugins can’t find wp-compat because:

  • It hides from the plugin list
  • The admin account is hidden
  • It uses legitimate functions and stores data in the database

Gives Full Control to Hackers

With admin access, hackers can:

  • Steal customer data
  • Inject spam links
  • Redirect visitors to scam sites
  • Install more malware
  • Delete your content
  • Take your site hostage

Part of a Larger Attack

Similar fake plugins exist, showing organized groups actively hacking WordPress sites:

  • DebugMaster Pro
  • WP-antymalwary-bot.php
  • wp-performance-booster.php
  • Fake “Classic” plugin versions

How to Find WP-Compat on Your Site

Check Files with FTP

Use FTP, SFTP, or your hosting file manager. Look in:

/wp-content/plugins/

If you see a folder named wp-compat, your site is infected.

Check Your Database

Log into phpMyAdmin and look in the wp_options table for:

_pre_user_id

If you find it, your site has the malware.

Check Admin Users

Look for:

  • Username: adminbackup
  • Email: adminbackup@wordpress.org

Use Security Plugins

Install one of these free scanners:

  • Wordfence: scans files and database, detects hidden backdoors
  • Sucuri: checks files and monitors security

How to Remove WP-Compat Malware

  1. Backup your site first.
  2. Access your site files via FTP or hosting file manager.
  3. Delete the wp-compat folder completely.
  4. Clean the database:
    • Delete _pre_user_id from wp_options
    • Find and delete the fake admin user (adminbackup)
  5. Check for more malware: look at wp-config.php, theme files, uploads, mu-plugins, and other plugin files.
  6. Change all passwords—admin, database, FTP, hosting, email.
  7. Update WordPress, plugins, and themes to the latest versions.
  8. Scan again to verify clean.

How to Prevent Future Infections

  • Use strong passwords.
  • Enable two-factor authentication.
  • Update everything regularly.
  • Delete unused plugins and themes.
  • Install security plugins like Wordfence or Sucuri.
  • Use a web firewall.
  • Limit login attempts.
  • Set correct file permissions.
  • Make backups daily.
  • Check the mu-plugins folder each month.
  • Hide your WordPress version.
  • Disable file editing in WordPress.
  • Use HTTPS (SSL) security.
  • Monitor your site regularly for suspicious activity.

In 2025, WordPress Security Is More Important Than Ever

Hackers use AI to attack websites faster and smarter. Old plugins, weak passwords, and outdated software make your site vulnerable. Preventing problems now saves you big trouble later.

Key Points:

  • WP-Compat is fake malware, not a real plugin
  • It hides in your site and makes a secret admin account
  • It’s very hard to remove without cleaning both files and database
  • Use strong security practices to protect your website

Take Action Today

  • Check your plugins folder for wp-compat
  • Scan your database for _pre_user_id
  • Look for the adminbackup user account
  • Install a security plugin
  • Change all passwords
  • Update WordPress, plugins, and themes
  • Make backups every day

Final Words

The wp-compat malware is a serious threat. It’s designed to hide itself and give hackers full control. If you find it on your site, act immediately to clean and secure your website. Good security now will keep your website safe from hackers in the future. For professional malware removal, hire me today at MD Pabel’s WordPress Malware Removal Service

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)