Stealthy WordPress Backdoor Found Hiding in Must-Use Mu-Plugins Directory for Persistent Access

Researchers have uncovered a stealthy backdoor within WordPress, cunningly disguised as a system file within the mu-plugins directory—a special location designated for must-use plugins. This strategic placement enables threat actors to establish a persistent foothold on the site, granting them covert access and the ability to execute arbitrary PHP code undetected.

Must-use plugins are automatically activated with every site load and do not appear in the standard WordPress admin interface. They cannot be disabled via the dashboard—removal requires direct deletion of the file from the wp-content/mu-plugins folder. This characteristic makes them particularly alluring to malware operators seeking stealth and persistence.

The infection, identified by the Sucuri research team, leverages a PHP script named wp-index.php placed within the must-use plugins directory to serve as a loader. This script retrieves a remote malicious payload and embeds it into the site’s database under the wp_options table, using the key _hdra_core. To further obfuscate its behavior, the URL of the remote payload is encoded using the ROT13 cipher—a rudimentary substitution algorithm in which each letter is replaced by the one 13 positions ahead in the alphabet (e.g., A becomes N, B becomes O, and so forth).

Once retrieved, the malicious code is briefly written to disk and executed immediately, providing attackers with a persistent entry point for remote command execution. Notably, a file manager named pricing-table-3.php is deployed into the theme directory, granting full access to view, upload, or delete server files.

Additionally, a rogue administrator account named officialwp is created, followed by the installation and activation of a fake plugin, wp-bot-protect.php. This secondary payload ensures that the backdoor can be reinstated even if the initial code is removed. The malware also has the capability to overwrite the passwords of commonly used administrator accounts such as admin, root, wpsupport, and its own officialwp, setting them all to a pre-defined password known only to the attacker.

This sophisticated mechanism not only guarantees resilient system access but also empowers adversaries to completely lock out legitimate administrators, thereby assuming total control of the site. The threat actor can then pursue a wide range of malicious activities—from injecting hidden scripts to redirecting user traffic to fraudulent destinations.

Blending remote code execution, content manipulation, and adaptive malicious behavior, this campaign exemplifies a highly dangerous and flexible threat model.

To mitigate such risks, administrators should ensure the WordPress core, themes, and all plugins are consistently updated; enforce two-factor authentication for privileged accounts; and conduct routine inspections of theme and plugin directories, paying close attention to hidden or unfamiliar components.