MalCare Detects Hidden Admin PHP Backdoors That Enable Repeat WordPress Hacks

Most WordPress malware scanners focus on finding malicious code, by comparing them to a database of malware signatures. 

MalCare has always focused on the intended behaviour of code (also known as heuristic analysis), instead of just a signature database, and therefore stood out from the crowd. 

Because we have always known: not all compromises rely on visible malware.

Today, we’re announcing an enhancement to the MalCare malware scanner that adds detection for a new class of PHP backdoors in WordPress. These scripts quietly create administrator accounts on compromised sites so attackers can regain control time after time after time. 

Hackers use backdoors to create admin accounts

MalCare detects PHP backdoors whose primary purpose is to add or preserve administrator access on a WordPress site. It is similar in theory to a privilege escalation attack, where an ordinary account is upgraded to an admin role to allow more access.

These backdoors are not designed to break a site or draw attention. Instead, they ensure persistence.

Even if visible malware is discovered and removed, a hidden admin account allows an attacker to:

Without identifying and removing this backdoor access, cleanup is often temporary and why reinfections occur. 

The issue is widespread but well hidden

In the last seven days alone, MalCare detected this behaviour on around 600 WordPress sites.

In many of these cases, the site appeared to function normally. There was no obvious impact of the malware, and therefore the compromise would have been easy to miss.

The backdoor created fake admin accounts, and then systematically hid them from the various user views in wp-admin. 

The user counts would look the same as before, and there would be no suspicious accounts in the list. Anyone managing user accounts on the site would be none the wiser. 

This makes access-based backdoors especially risky: they allow attackers to stay in control while remaining largely invisible to site owners.

🚨 While the fake admin accounts were hidden from wp-admin, you would have been able to see them on the MalCare dashboard. 

This is why symptoms of malware on a site can be so disconcerting. If you don’t have the right tools in place, you can miss some important signs of hacking. 

Where we found the backdoors

Based on scan data, this malware most often appears inside trusted WordPress files and folders, including:

By embedding themselves in legitimate code paths, these backdoors avoid suspicion and manual review.

☠️ The backdoors were also found in a fake plugin called wp-compat. 

How MalCare detects this now

With this update, MalCare has more signals added to our intelligent threat heuristics. 

It scans PHP code for signals associated with unauthorised access creation and persistence, not just visible payloads.

This includes detecting logic that:

Backdoors are the biggest cause of reinfection

One of the most common causes of repeat infections is undetected access persistence.

For site owners, that means: