WordPress glossary

wp-adminerlzp Hidden Admin User

A persistence backdoor that re-creates a rogue WordPress administrator with a wp-adminerlzp-style username after every cleanup.

Last updated 27 June 2026 · Reviewed by Ali Yasin Jatoi

wp-adminerlzp is one signature in a family of hidden admin accounts injected by attackers after a WordPress compromise. The account is recreated by a malicious mu-plugin or trojanized core file on every page load, so deleting the user in /wp-admin/users.php alone does not fix it. Permanent removal requires finding and removing the persistence source (usually under wp-content/mu-plugins/, wp-config.php, or a trojanized wp-blog-header.php).

Where this applies on our service

Hidden admin user keeps coming back

Related terms

When this comes up in the wild

Need this fixed, not just defined?

We have shipped hundreds of fixes for exactly this kind of issue. Book a 20 minute call and we will tell you straight whether it is a quick fix or a bigger root cause.

Book a 20 minute call +92 346 600 8404

GEO (Generative Engine Optimization)mu-plugin Malware

Call Book a call