\n<\/p>\n
Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the “mu-plugins” directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.<\/p>\n
Must-use plugins (aka mu-plugins) are special plugins that are automatically activated on all WordPress sites in the installation. They are located in the “wp-content\/mu-plugins” directory by default.<\/p>\n
What makes them an attractive option for attackers is that mu-plugins do not show in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory.<\/p>\n
<\/p>\n
As a result, a piece of malware that leverages this technique allows it to function quietly, without raising any red flags.<\/p>\n
In the infection spotted by web security company Sucuri, the PHP script in the mu-plugins directory (“wp-index.php”) serves as a loader to fetch a next-stage payload and save it in the WordPress database within the wp_options table under _hdra_core.<\/p>\n
The remote payload is retrieved from a URL that’s obfuscated using ROT13, a simple substitution cipher that replaces a letter with the 13th letter after it (i.e., A becomes N, B becomes O, C becomes P, and so forth).<\/p>\n
<\/p>\n
“The fetched content is then temporarily written to disk and executed,” security researcher Puja Srivastava said. “This backdoor gives the attacker persistent access to the site and the ability to run any PHP code remotely.<\/p>\n
Specifically, it injects a hidden file manager into the theme directory as “pricing-table-3.php,” permitting threat actors to browse, upload, or delete files. It also creates an administrator user named “officialwp” and then downloads a malicious plugin (“wp-bot-protect.php”) and activates it.<\/p>\n
Besides reinstating the infection in the event of deletion, the malware incorporates the ability to change the passwords of common administrator usernames, such as “admin,” “root,” and “wpsupport,” to a default password set by the attacker. This also extends to its own “officialwp” user.<\/p>\n
<\/p>\n
In doing so, the threat actors can enjoy persistent access to the sites and perform malicious actions, while effectively locking out other administrators. This can range from data theft to injecting code that can serve malware to site visitors or redirect them to other scammy sites.<\/p>\n
“The attackers gain full administrator access and a persistent backdoor, allowing them to do anything on the site, from installing more malware to defacing it,” Srivastava said. “The remote command execution and content injection features mean the attackers can change the malware’s behavior.”<\/p>\n
To mitigate against these threats, it’s essential that site owners update WordPress, themes, and plugins periodically, secure accounts using two-factor authentication, and regularly audit all sections of the site, including theme and plugin files.<\/p>\n
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access Update ID THN:6E4392B000822778B2AC7ADF805B853C Type thn Published 2025-07-24T05:11:00 Last…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-8829","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=8829\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access Update ID THN:6E4392B000822778B2AC7ADF805B853C Type thn Published 2025-07-24T05:11:00 Last...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=8829\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-24T02:47:27+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access\",\"datePublished\":\"2025-07-24T02:47:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829\"},\"wordCount\":578,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8829#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829\",\"name\":\"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-07-24T02:47:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=8829\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=8829#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=8829","og_locale":"en_US","og_type":"article","og_title":"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access - zero redgem","og_description":"Security Update News Update Information Title Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access Update ID THN:6E4392B000822778B2AC7ADF805B853C Type thn Published 2025-07-24T05:11:00 Last...","og_url":"https:\/\/zero.redgem.net\/?p=8829","og_site_name":"zero redgem","article_published_time":"2025-07-24T02:47:27+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=8829#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=8829"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access","datePublished":"2025-07-24T02:47:27+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=8829"},"wordCount":578,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=8829#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=8829","url":"https:\/\/zero.redgem.net\/?p=8829","name":"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-07-24T02:47:27+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=8829#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=8829"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=8829#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8829","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8829"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/8829\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8829"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8829"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8829"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}