Stealth backdoor in WordPress mu-plugins directory

Cybersecurity researchers have discovered a stealthy backdoor hidden in the "mu-plugins" directory of WordPress sites, allowing hackers to maintain persistent access and execute arbitrary actions. Must-use plugins (mu-plugins) are automatically activated on all WordPress installations and are located in the "wp-content/mu-plugins" directory, making them appealing targets for attackers since they do not appear in the default plugin list and cannot be disabled through the admin interface.

Stealth backdoor in WordPress mu-plugins directoryStealth backdoor in WordPress mu-plugins directory

In an infection identified by web security firm Sucuri, a PHP script named "wp-index.php" in the mu-plugins directory acts as a loader to fetch a next-stage payload, which is stored in the WordPress database under the wp_options table as _hdra_core. The remote payload is retrieved from an obfuscated URL using ROT13, allowing the malware to operate quietly.

Stealth backdoor in WordPress mu-plugins directoryStealth backdoor in WordPress mu-plugins directory

This backdoor grants attackers persistent access, enabling them to execute any PHP code remotely. It injects a hidden file manager into the theme directory as "pricing-table-3.php," allowing file browsing, uploading, and deletion. Additionally, it creates an administrator user named "officialwp" and downloads a malicious plugin ("wp-bot-protect.php") to ensure the infection can be reinstated if deleted.