Stealthy WordPress Malware Campaign Exploits “Must-Use” Plugins Directory

A sophisticated malware campaign is targeting WordPress websites, leveraging the often-overlooked mu-plugins directory to establish persistent backdoors. This cunning approach utilizes a multi-layered infection strategy that evades standard security measures, highlighting the evolving tactics employed by malicious actors to compromise websites and maintain long-term access. This article details the malware’s functionality, evasion techniques, and steps website owners can take to protect themselves.

Malware Mechanics: A Covert Backdoor

The malware, disguised as an innocuous file named wp-index.php within the /wp-content/mu-plugins/ directory, acts as a loader. This directory’s unique characteristic—automatically activating plugins that cannot be deactivated via the standard WordPress admin interface—makes it the perfect hiding place for persistent threats. wp-index.php discreetly fetches a remote payload from a ROT13-obfuscated URL, decodes it, and executes arbitrary PHP code. This echoes a similar attack wave reported in March 2025, demonstrating the adaptability of these advanced persistent threats (APTs).

Payload Delivery and Persistence:

The ROT13 obfuscation, a simple Caesar cipher, while not cryptographically secure, effectively hides malicious URLs during initial infection. For example, the encoded string uggcf://1870l4ee4l3q1x757673d.klm/peba.cuc decodes to hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php. This cron.php endpoint delivers a base64-encoded payload. The payload is stored in the WordPress database under the option key _hdra_core, providing a non-filesystem persistence mechanism that complicates detection. The script validates the base64 integrity before temporarily writing the decoded content to a file (e.g., .sess-[hash].php in the uploads directory), executing it, and then deleting it to minimize traces.

Expanding the Attack Surface:

The malware doesn’t stop there. It creates a hidden administrator account named “officialwp” and injects a file manager (pricing-table-3.php) into the theme directory. This file manager, accessible via a custom HTTP header token, allows for file browsing, uploading, and deletion.

Furthermore, the malware downloads and activates a secondary plugin, wp-bot-protect.php, from another ROT13-encoded URL (hxxps://1870y4rr4y3d1k757673q[.]xyz/shp), acting as a failsafe to reinstate the infection if primary components are removed. This secondary plugin reinforces the malware’s persistence. Adding to its insidious nature, the malware programmatically resets passwords for common admin usernames (“admin,” “root,” “wpsupport,” and “officialwp”) to attacker-controlled defaults, locking out legitimate users.

Broader Implications and Mitigation:

The malware’s capabilities extend to remote PHP code injection, allowing attackers to modify its behavior dynamically. This gives them complete control—manipulating site content, exfiltrating data, or using the compromised site for phishing, ransomware distribution, or DDoS attacks. The multi-layered evasion techniques (database storage, temporary files, self-reinforcement) make it highly resilient.

Website owners should take immediate action to mitigate this threat:

• Scan for indicators: Check for wp-index.php, the _hdra_core database entry, and anomalous admin users.
• Implement file integrity monitoring: Regularly monitor for changes to core WordPress files and plugins.
• Perform regular database audits: Look for suspicious entries and unusual activity within the database.

Conclusion: This sophisticated malware campaign highlights the critical need for vigilance and proactive security measures for WordPress websites. Attackers are constantly evolving their techniques, exploiting lesser-known vulnerabilities and architectural nuances. Regular security audits, robust backups, and the use of reputable security plugins are crucial for protecting against these advanced persistent threats.