WordPress powers over 40% of the web, and that makes it an irresistible target for attackers. Security researchers at Sucuri and recent reports from SC Media highlight a troubling new trend: stealth backdoors disguised as legitimate utilities and hidden in places many admins never think to check.
How the Attack Works
- Hiding in Plain Sight
Attackers drop a malicious loader into thewp-content/mu-plugins
folder. Unlike regular plugins, must-use plugins (mu-plugins
) are auto‑loaded by WordPress but never appear in the admin plugin list. That makes them the perfect hiding spot. - Loader + Payload
The loader looks like a harmless utility file but fetches and decodes obfuscated payloads (using tricks like ROT13 and base64). These payloads are stored in the database under innocuous option keys such as_hdra_core
, avoiding file‑based scanners. - Reinstatement Mechanism
If the malware is removed, the backdoor can reinstate itself — sometimes through a disguised plugin (php-ini.php
) or by creating hidden admin users with elevated privileges triggered only when a special URL parameter is passed. - Admin Takeover
Some variants overwrite or reset credentials for accounts likeadmin
orroot
, ensuring persistent access even if legitimate admins try to lock things down.
Why This Matters
- Invisible to normal plugin audits – most site owners never check
mu-plugins
. - Database persistence – by storing payloads in
wp_options
, it evades file‑integrity checks. - Self‑healing – simply removing the malicious file may not kill the infection.
- Total compromise – once admin credentials are under attacker control, nothing else matters.
What You Can Do
- Audit
mu-plugins
regularly – add this folder to your monitoring scripts. - Check the database – scan the
wp_options
table for suspicious keys containing base64 or ROT13 blobs. - Audit users – review admin accounts and watch for hidden or unexpected ones.
- Enforce deployment hygiene – only allow trusted code to be deployed, and tighten write permissions on the server.
The Bigger Picture
This wave of attacks highlights how attackers evolve: when security teams catch one method, they shift to another. In this case, they’re exploiting the fact that even seasoned WordPress developers rarely think to check mu-plugins
or dig into option keys.
It’s another reminder that WordPress security isn’t just about patching — it’s about knowing where attackers hide, and expanding your monitoring accordingly.
Final Thought
If you run or manage WordPress sites: don’t ignore this. Next time you clean up a malware infection, double‑check mu-plugins
and your database. Otherwise, you might just be cleaning the surface while the real backdoor lives on.