Security researchers at Sucuri have identified a new stealth backdoor hidden within WordPress’s "mu-plugins" directory that allows attackers to maintain persistent control over compromised websites.
Mu-plugins, short for "must-use plugins," are unique in WordPress because they execute automatically and cannot be disabled from the admin dashboard. The malware leverages this capability to stay under the radar and remain active on infected sites.
Investigators found a malicious PHP file named “wp-index.php” acting as a loader in the mu-plugins folder. This file downloads an obfuscated payload using the ROT13 cipher, a basic letter-shifting method that disguises code without encrypting it. The payload is then stored in the WordPress database under the option labeled _hdra_core.
Once downloaded, the backdoor writes this payload to the server’s disk and executes it. The process is designed to leave minimal evidence, making it harder to detect.
Further analysis revealed that the payload originates from a script called cron.php. It installs a hidden file manager titled pricing-table-3.php and creates a rogue administrator account with the username officialwp. Additionally, it installs a plugin named wp-bot-protect.php that reinstalls the backdoor if it is removed.
The malware also includes a feature that resets passwords for common admin usernames such as admin, root, wpsupport, and its own officialwp account. This tactic ensures continued access even if legitimate administrators change their passwords and can be used to block other users from logging in.
Researchers warn that this backdoor poses a serious security risk. It provides full administrative control, enables data theft, facilitates the installation of additional malware, and supports remote command execution. Because it hides in a protected plugin folder, stores payloads in the database, and wipes traces after running, it is particularly difficult to detect and remove. Once a site is compromised, it may be used for wider malicious campaigns.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
