Home | Blog | A Stealthy New WordPress Backdoor: Why You Should Be Checking mu-plugins

A Stealthy New WordPress Backdoor: Why You Should Be Checking mu-plugins

WordPress powers over 40% of the web, and that makes it an irresistible target for attackers. Security researchers at Sucuri and recent reports from SC Media highlight a troubling new trend: stealth backdoors disguised as legitimate utilities and hidden in places many admins never think to check.

How the Attack Works

  1. Hiding in Plain Sight
    Attackers drop a malicious loader into the wp-content/mu-plugins folder. Unlike regular plugins, must-use plugins (mu-plugins) are auto‑loaded by WordPress but never appear in the admin plugin list. That makes them the perfect hiding spot.
  2. Loader + Payload
    The loader looks like a harmless utility file but fetches and decodes obfuscated payloads (using tricks like ROT13 and base64). These payloads are stored in the database under innocuous option keys such as _hdra_core, avoiding file‑based scanners.
  3. Reinstatement Mechanism
    If the malware is removed, the backdoor can reinstate itself — sometimes through a disguised plugin (php-ini.php) or by creating hidden admin users with elevated privileges triggered only when a special URL parameter is passed.
  4. Admin Takeover
    Some variants overwrite or reset credentials for accounts like admin or root, ensuring persistent access even if legitimate admins try to lock things down.

Why This Matters

  • Invisible to normal plugin audits – most site owners never check mu-plugins.
  • Database persistence – by storing payloads in wp_options, it evades file‑integrity checks.
  • Self‑healing – simply removing the malicious file may not kill the infection.
  • Total compromise – once admin credentials are under attacker control, nothing else matters.

What You Can Do

  • Audit mu-plugins regularly – add this folder to your monitoring scripts.
  • Check the database – scan the wp_options table for suspicious keys containing base64 or ROT13 blobs.
  • Audit users – review admin accounts and watch for hidden or unexpected ones.
  • Enforce deployment hygiene – only allow trusted code to be deployed, and tighten write permissions on the server.

The Bigger Picture

This wave of attacks highlights how attackers evolve: when security teams catch one method, they shift to another. In this case, they’re exploiting the fact that even seasoned WordPress developers rarely think to check mu-plugins or dig into option keys.

It’s another reminder that WordPress security isn’t just about patching — it’s about knowing where attackers hide, and expanding your monitoring accordingly.


Final Thought

If you run or manage WordPress sites: don’t ignore this. Next time you clean up a malware infection, double‑check mu-plugins and your database. Otherwise, you might just be cleaning the surface while the real backdoor lives on.

Written by:

WordPress Gutenberg theme by Andy White