Hidden WordPress Backdoors Creating Admin Accounts

Description

Two malicious files were discovered on a compromised WordPress website, designed to manipulate administrator accounts and maintain unauthorized access. The first file, disguised as a plugin called 'DebugMaster Pro', created a secret admin user and communicated with a command and control server. The second file, 'wp-user.php', ensured a specific admin user with a known password was always present. Both files worked together to create a robust system for persistent access, allowing attackers to control the site, inject spam, redirect visitors, or steal information. The malware also injected malicious scripts for visitors and tracked admin IPs. Cleaning requires removing the files, auditing accounts, resetting credentials, and hardening the site against reinfection.