Jul 24, 2025Ravie LakshmananCybersecurity / Net Safety
Cybersecurity researchers have uncovered a brand new stealthy backdoor hid inside the “mu-plugins” listing in WordPress websites to grant risk actors persistent entry and permit them to carry out arbitrary actions.
Should-use plugins (aka mu-plugins) are particular plugins which might be mechanically activated on all WordPress websites within the set up. They’re positioned within the “wp-content/mu-plugins” listing by default.
What makes them a beautiful choice for attackers is that mu-plugins don’t present within the default checklist of plugins on the Plugins web page of wp-admin and can’t be disabled besides by eradicating the plugin file from the must-use listing.
In consequence, a bit of malware that leverages this system permits it to perform quietly, with out elevating any purple flags.
Within the an infection noticed by internet safety firm Sucuri, the PHP script within the mu-plugins listing (“wp-index.php”) serves as a loader to fetch a next-stage payload and reserve it within the WordPress database inside the wp_options desk below _hdra_core.
The distant payload is retrieved from a URL that is obfuscated utilizing ROT13, a easy substitution cipher that replaces a letter with the thirteenth letter after it (i.e., A turns into N, B turns into O, C turns into P, and so forth).
“The fetched content material is then quickly written to disk and executed,” safety researcher Puja Srivastava stated. “This backdoor offers the attacker persistent entry to the location and the power to run any PHP code remotely.
Particularly, it injects a hidden file supervisor into the theme listing as “pricing-table-3.php,” allowing risk actors to browse, add, or delete information. It additionally creates an administrator person named “officialwp” after which downloads a malicious plugin (“wp-bot-protect.php”) and prompts it.
Moreover reinstating the an infection within the occasion of deletion, the malware incorporates the power to vary the passwords of widespread administrator usernames, corresponding to “admin,” “root,” and “wpsupport,” to a default password set by the attacker. This additionally extends to its personal “officialwp” person.
In doing so, the risk actors can get pleasure from persistent entry to the websites and carry out malicious actions, whereas successfully locking out different directors. This will vary from knowledge theft to injecting code that may serve malware to web site guests or redirect them to different scammy websites.
“The attackers acquire full administrator entry and a persistent backdoor, permitting them to do something on the location, from putting in extra malware to defacing it,” Srivastava stated. “The distant command execution and content material injection options imply the attackers can change the malware’s conduct.”
To mitigate towards these threats, it is important that web site house owners replace WordPress, themes, and plugins periodically, safe accounts utilizing two-factor authentication, and repeatedly audit all sections of the location, together with theme and plugin information.
