Was ist das Plugin one_images_user?

In Bereinigungsfällen ist one_images_user häufig kein legitimes Plugin, sondern ein Tarnname. Der Code kann Administratoren anlegen, Nutzerlisten manipulieren und Löschversuche blockieren.

Wer oder was ist admlnlx in WordPress?

admlnlx ist häufig ein eingeschleuster Administrator-Benutzer. Oft wird er so versteckt, dass er in der Benutzerübersicht nicht erscheint und sich nicht normal löschen lässt.

Warum kann ich einen User nicht löschen (Invalid user ID)?

Das passiert, wenn Schadcode das WordPress-Backend manipuliert und das Bearbeiten oder Löschen eines bestimmten Benutzers gezielt verhindert.

one_images_user / admlnlx / adminbackup WordPress admins

Sometimes a WordPress site looks completely normal on the outside - and yet there is a backdoor inside. One particularly nasty pattern: names like one_images_user, admlnlx or adminbackup appear as new, unknown admin users. These are not “strange coincidences,” but often clear signs of an infection trying to secure permanent admin access.

This article is deliberately not a general “WordPress hacked” landing page. You may already have that. This page is about the specific issue: An admin is created, hidden, and deletion is sabotaged.

Contents

Quick self-check: Am I affected?
What is one_images_user?
Why admlnlx and adminbackup are so critical
How WordPress users are made “invisible”
Special case: wp_plugin/wp_plugin.php
What you should do now (practical steps)
FAQ

Quick self-check: If you see this, you are very likely affected

Typical indicators (IOCs):

Unknown users such as admlnlx or adminbackup (administrator role)
Plugin/folder names such as one_images_user or wp_plugin
The number shown for “Administrators” does not match the visible list
When editing/deleting, you get “Invalid user ID“
A plugin exists on the server but does not appear in the backend (or not reliably)

If even one of these points sounds familiar: do not wait. These backdoors often stay “quiet” until they become active again.

What is behind `one_images_user`?

one_images_user sounds like a normal plugin. That is exactly the trick: these malicious packages are often named to look “harmless” at a quick glance.

Typical behavior of such fake plugins

An admin user is created (e.g. admlnlx)
This user is hidden from the user overview
Deletion attempts are blocked (errors such as “Invalid user ID”)
An ID/option is stored in the database so the concealment continues to work permanently

Why `admlnlx` and `adminbackup` are so critical

These names seem arbitrary - but in practice they are often a clear sign of: backdoor accounts with administrator privileges. adminbackup sounds like an “emergency account,” but is usually exactly the opposite: an additional access point for third parties.

How WordPress users are made “invisible”

Many people think: “If I can’t see the user, it doesn’t exist.” Unfortunately, that is wrong. Backdoors use WordPress hooks to manipulate the admin interface without you immediately noticing what is happening.

What is often manipulated in the process:

pre_user_query: filters the backdoor user out of the SQL query
views_users: falsifies the counters (“All,” “Administrators”) so you do not become suspicious
Direct access to user-edit.php or deletion actions is blocked

The result is insidious: everything looks “normal” while an admin account exists in the background.

Special case: `wp_plugin/wp_plugin.php`

The folder name wp_plugin looks generic. In real malware cases, it is often a module that affects visitors - for example through overlays, redirects, or third-party content. Often this is not shown the same way to every person (e.g. only on certain devices / only a few times per cookie).

What you should do now (brief, but truly effective)

The safe order

Remove malicious components: completely remove fake plugins/malicious code
Remove backdoor users: admlnlx, adminbackup etc.
Rule out persistence: mu-plugins, uploads (PHP), suspicious DB options, cron jobs
Rotate access credentials: admin passwords, hosting/FTP, DB password, WordPress SALTs
Harden the site: enforce 2FA for admins + .htaccess (main file and wp-content)
Backup strategy: automate clean backups (and do not accidentally restore infected ones)

Important: “Just updating” is rarely enough with this pattern. What matters is that the backdoor does not come back.

FAQ

What is the plugin one_images_user?

In cleanup cases, one_images_user is often not a legitimate plugin, but a disguise name. It is typically used to create admin access and hide it so it does not clearly show up in the backend.

Who or what is admlnlx in WordPress?

admlnlx is often an injected administrator user. Such users are sometimes hidden so that they do not appear in the user list and deletion attempts fail.

What is the user adminbackup?

The name sounds “harmless,” but it is often an additional backdoor admin. If you did not create it yourself, you should treat it as a security incident.

Why does “Invalid user ID” appear when I try to delete a user?

This happens when malware manipulates the WordPress backend and deliberately prevents a specific user from being edited or deleted. In such cases, the malicious code must be removed first.

Why is the number of administrators incorrect?

A classic trick is to manipulate the counters in the user view (e.g. “minus 1”) so that the hidden admin goes unnoticed.

If you see these names, it is a clear warning sign

one_images_user admlnlx adminbackup wp_plugin/wp_plugin.php

Note: For security reasons, this article does not include step-by-step instructions. Its purpose is detection and assessment—so it is clear what you are dealing with and what needs to be done next.

Details: Last Updated: 19 February 2026

Add comment

Additional services

What clients say about us

Prev Next

“The migration of our Joomla website from PHP 5.3 to PHP 7 was completed very quickly, affordably, and with flawless results. Very good and friendly communication.”
– H. Bergmann

“Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars”
– Fernando V.

“I didn’t know how to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were completed—everything was extremely affordable, fast, and done well!”
– Klaus-Peter

“The site looks great—everything just like before—and now on PHP 7.2—I’m impressed. Thank you very much!”
– Dr. Ingo Wuddel

“Since we run an online shop, it was very important for us that our site was quickly available again with full functionality for our customers. All work was carried out extremely quickly to our complete satisfaction.” – Löwen Handels GmbH

“Very fast, professional, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.”
– Heino B.

“The contact was especially friendly, and some additional cosmetic work was taken care of on their own—as if it were only natural. I am relieved and very grateful.”
– R. Mayer

“Super. In an absolute emergency, after 2 domains were suspended by Strato due to a hacker attack, both domains were temporarily brought back online the very same day.”
– I. Radchenko

“Outstanding service. Problem solved within 18 hours. We are thrilled. Thank you very much 🙏”
– Tien Sy Vuong

Website-Bereinigung.de Support Service

5.0 205 Reviews > 5

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm

one_images_user / admlnlx / adminbackup: When WordPress creates hidden admins