New WordPress Malware Creates Hidden Admins Accounts While Your Security Tools Are Clueless

Your WordPress security plugins missed the memo—and the malware.

By Marco Rizal - Editor, Journalist 4 Min Read
Share this post?
Share this post?

Your WordPress security plugins missed the memo—and the malware.

  • 14 top WordPress security scanners, including Wordfence, failed to detect this malware.
  • Malware hides in the wp_options table and creates hidden admin accounts.
  • Sites are redirected to malicious URLs without the owners even knowing.

A security researcher on Reddit discovered a concerning new type of malware that infects multiple WordPress installations.

This malware is especially sneaky because it bypasses all major security scanners, including well-known names like Wordfence, MalCare, and Sucuri.

It hides deep within WordPress databases, employing advanced techniques to create hidden admin users, insert malicious redirects, and prevent critical security plugins from being detected by site administrators.

Despite scanning with 14 popular WordPress security tools, none detected the malware.

This oversight exposes countless WordPress sites, especially those with weak passwords.

The infected sites were development websites with test subdomains that were not indexed by search engines, making them ideal targets.

How Does Malware Work?

This malware is not your typical infection. It works by infiltrating the WordPress database and creating hidden admin accounts, allowing hackers to control the website without the owner’s knowledge.

Once inside, the malware makes itself even more difficult to detect by hiding key security plugins from the admin dashboard, such as “Code Snippets.”

This means that even if a site owner attempts to check for problems, they will not see any alerts or warnings in the expected locations.

image 58
Post by security researcher (Credit: NonSonoKoreano)

Furthermore, the malware redirects non-logged-in users and visitors from specific IP addresses to malicious external websites.

The website owner is completely unaware of these redirections because they are not visible in the admin panel.

What makes this even more concerning is that the malware conceals its activities so well that none of the major security scanners detected it.

The infected data is hidden deep within the wp_options table, specifically in fields such as wpcode_snippets and siteurl, rendering it invisible to standard WordPress security tools.

The only way the Reddit user discovered it was by manually running a SQL query against suspicious database entries. So, if you only use plugins to secure your WordPress site, this malware could go undetected.

What Can You Do?

If you manage a WordPress site, you should be concerned—especially if you rely on standard security plugins to keep it safe.

The researcher suggested manually checking your wp_options table for suspicious entries and shared a script that can detect malicious code across multiple installations.

They also recommend that you reset your credentials (admin passwords, database credentials, FTP, etc.) and manually delete any suspicious database entries discovered by the scanner.

SecuPress and GOTMLS developers have responded to the problem and are currently working on updates to better detect this malware.

The Bigger Picture

The real kicker? This malware entered the system via weak passwords rather than plugin vulnerabilities or complex attacks.

So, if you still use “password123” on your WordPress site, now is the time to change it.

Also, triple-check those security plugins—you never know what lurks beneath the surface.

Leave a comment