Security researchers have uncovered a sophisticated WordPress malware campaign that exploits the rarely monitored mu-plugins directory to establish persistent backdoors on compromised websites.
The malicious code, discovered in the file wp-content/mu-plugins/wp-index.php, represents a significant evolution in WordPress attack techniques, utilizing database storage and ROT13 obfuscation to evade traditional security scanning methods.
Sophisticated Evasion Techniques Target Must-Use Plugins
The attack leverages WordPress’s “must-use plugins” functionality, which automatically activates plugins in the mu-plugins directory without the ability to disable them through the admin panel.
This mechanism ensures the malware remains active even during routine security cleanups.
The malicious loader script employs ROT13 encoding to obfuscate its command-and-control server URL. str_rot13('uggcf://1870l4ee4l3q1x757673d.klm/peba.cuc'), which decodes to hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php.
Once activated, the malware retrieves a base64-encoded payload from the remote server and stores it in WordPress’s options table under a specific key. _hdra_core.
This database storage method circumvents file-system-based security scans while maintaining persistence across server restarts and file cleanups.
The remote payload establishes multiple persistence mechanisms, including creating a hidden administrator account named “officialwp” and injecting a file manager (pricing-table-3.php) into the theme directory.
The malware also force-activates additional plugins downloaded from hxxps://1870y4rr4y3d1k757673q[.]xyz/shp and implements password reset functionality for common administrative usernames.
Comprehensive Site Compromise and Data Theft Risks
The backdoor grants attackers complete administrative control over compromised websites, allowing for arbitrary code execution, content manipulation, and data exfiltration.
Security analysts note that the malware’s ability to dynamically change administrator passwords for accounts including “admin,” “root,” and “wpsupport” represents a significant escalation in attack sophistication.
The temporary payload execution system writes decoded malware to .sess-[hash].php files in the uploads directory before immediate deletion, leaving minimal forensic traces.
This technique, combined with database storage, makes detection and removal particularly challenging for website administrators and automated security tools.
Prevention and Mitigation Strategies
Security experts recommend implementing comprehensive monitoring of the mu-plugins directory and regular auditing of WordPress user accounts for unauthorized administrators.
Critical preventive measures include maintaining updated WordPress installations, themes, and plugins, while restricting file editing capabilities through wp-config.php modifications using define('DISALLOW_FILE_EDIT', true).
Organizations should implement strong authentication policies, including two-factor authentication for administrative accounts, and conduct regular security scans that specifically examine database-stored content rather than relying solely on file-system monitoring.
The discovery highlights the evolving nature of WordPress threats and underscores the need for multi-layered security approaches that account for both traditional file-based and database-resident malware variants.
