Attackers are using SQL triggers as a backdoor to create a malicious admin user whenever a special comment is submitted to an infected WordPress website.