Stealthy Malware in WordPress Sites Enables Remote Code Execution by Hackers

Security researchers have uncovered sophisticated malware targeting WordPress websites, leveraging hidden backdoors to enable remote code execution (RCE).

These attacks exploit vulnerabilities in WordPress core features and plugins, allowing hackers to gain unauthorized access, execute arbitrary code, and maintain control over compromised sites.

The findings highlight the critical need for robust security measures in WordPress environments.

Exploiting WordPress Vulnerabilities for Persistent Access

One notable case involved attackers embedding malicious scripts within the Must-Use Plugins (mu-plugins) directory, a special WordPress folder that automatically loads plugins on every page load without requiring activation.

By placing obfuscated PHP code in this directory, attackers ensured persistence while evading detection.

The malicious code retrieved and executed additional payloads stored in external files, enabling hackers to execute commands remotely and compromise the website further.

The malware employs advanced obfuscation techniques, such as base64 encoding and AES encryption, to conceal its payloads and bypass detection.

Once executed, it communicates with external servers to fetch additional malicious scripts or send sensitive data.

Attackers also use functions like eval() to dynamically execute PHP code, further complicating detection efforts.

In one instance, the malware exploited the /wp-content/uploads/ directory to store obfuscated payloads.

These payloads were decoded and executed on the server, granting attackers full control over the site.

Additionally, some variants manipulated critical files like robots.txt to redirect traffic or enhance their search engine optimization (SEO) spam campaigns.

The potential consequences of such attacks are severe:

• Complete Site Takeover: Hackers can modify content, inject malicious scripts, or deface websites.
• Data Theft: Sensitive user information, including login credentials and financial data, can be exfiltrated.
• Malware Distribution: Compromised sites may be used to spread malware or phishing campaigns.
• Reputation Damage: Redirecting visitors or injecting spam content harms a website’s credibility and SEO rankings.

The rise of RCE vulnerabilities in WordPress underscores systemic issues related to insecure coding practices and outdated software.

Sucuri reports revealed similar vulnerabilities in popular plugins like “Bit File Manager” and “Security & Malware Scan by CleanTalk,” exposing tens of thousands of websites to exploitation.

Attackers exploited flaws in file upload mechanisms or insufficient input sanitization to inject malicious code.

To mitigate these threats, WordPress site administrators should:

1. Regularly update WordPress core, plugins, and themes.
2. Implement firewalls to block malicious traffic.
3. Disable PHP execution in directories like /uploads/.
4. Use security tools like Sucuri or MalCare for malware scanning and monitoring.
5. Conduct periodic audits of installed plugins and remove unused or outdated ones.

These measures are essential for reducing the attack surface and safeguarding against evolving cyber threats targeting WordPress ecosystems.

PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar