Hidden Backdoor in WordPress Plugins Grants Attackers Ongoing Access to Websites

Security researchers have discovered a concerning trend in which a highly skilled malware campaign has been targeting WordPress websites by using the frequently disregarded mu-plugins directory to insert a covert backdoor.

This directory, short for “must-use plugins,” houses automatically activated plugins that cannot be deactivated through the standard WordPress admin interface, making it an ideal hiding spot for persistent threats.

The malware, disguised as a innocuous file named wp-index.php within /wp-content/mu-plugins/, functions as a loader that discreetly retrieves a remote payload from a ROT13-obfuscated URL, decodes it, and executes arbitrary PHP code.

This tactic echoes a similar infection wave reported in March 2025, underscoring the evolving strategies attackers employ to maintain long-term access to compromised websites.

Persistent Threat in MU-Plugins

By leveraging WordPress’s core functions for payload fetching and execution, the malware ensures it operates silently, evading routine filesystem scans and blending seamlessly with legitimate site operations.

According to Sucuri Report, the ROT13 obfuscation technique, a simple Caesar cipher shifting letters by 13 positions in the alphabet, serves no real cryptographic purpose but effectively conceals malicious URLs during initial infection stages.

For instance, the encoded string ‘uggcf://1870l4ee4l3q1x757673d.klm/peba.cuc’ decodes to hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php, from which the base64-encoded payload is downloaded.

This payload is then stored in the WordPress database under the option key _hdra_core, providing a non-filesystem persistence mechanism that complicates detection by security tools.

The script validates the base64 integrity before temporarily writing the decoded content to a file like .sess-[hash].php in the uploads directory, including it for execution, and promptly deleting it to minimize forensic traces.

Additionally, the malware creates a hidden administrator account named ‘officialwp’ and injects a file manager into the theme directory as pricing-table-3.php, accessible via a custom HTTP header token for operations such as file browsing, uploading, and deletion.

Multifaceted Malware Capabilities

Delving deeper into the payload hosted at the decoded cron.php endpoint, analysts found a comprehensive backdoor framework that extends beyond mere persistence.

The malware downloads and force-activates a secondary plugin, wp-bot-protect.php, from another ROT13-obfuscated URL decoding to hxxps://1870y4rr4y3d1k757673q[.]xyz/shp, which can reinstate the infection if primary components are removed.

A particularly insidious feature involves programmatically resetting passwords for common admin usernames including ‘admin’, ‘root’, ‘wpsupport’, and even its own ‘officialwp’ to an attacker-controlled default, effectively locking out legitimate users and ensuring re-entry.

This dynamic command execution capability allows remote PHP code injection, enabling attackers to adapt the malware’s behavior on-the-fly, such as embedding additional backdoors or suppressing security plugins.

The broader impact of this infection is profound, granting attackers unrestricted administrator privileges to manipulate site content, exfiltrate sensitive user data, or repurpose the site for phishing, ransomware distribution, or distributed denial-of-service (DDoS) attacks against third parties.

Its multi-layered evasion techniques, including database storage, temporary file handling, and self-reinforcement via plugins, render it exceptionally resilient to standard remediation efforts.

Website owners are urged to scan for indicators like the wp-index.php file, the _hdra_core database entry, and anomalous admin users, while implementing strict file integrity monitoring and regular database audits to mitigate such threats.

This incident highlights the critical need for enhanced vigilance in lesser-known WordPress directories, as attackers continue to exploit architectural nuances for sustained, covert operations.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now