A quiet path to a full site takeover

Researchers have warned that attackers are hiding a new backdoor inside WordPress’ mu‑plugins folder, giving them a durable foothold and the power to run any PHP they want. Because mu‑plugins (short for “must‑use” plugins) load automatically on every site in the install and don’t appear on the normal Plugins page, the malware can remain invisible to routine checks while still executing on every request. The only way to turn an mu‑plugin off is to delete the file from disk, which is exactly why criminals are choosing this spot. SOURCE: Sucuri Blog

How the break‑in works

In cases analyzed by Sucuri, the intrusion starts with a PHP loader dropped in wp-content/mu-plugins/wp-index.php. That stub decodes a ROT13‑obfuscated URL, pulls a second‑stage payload from a remote server, and stores it in the site’s database under the wp_options key _hdra_core. The code is then written briefly to disk and executed, ensuring the attacker regains control even if some traces are removed.

The next stage doesn’t stop at one backdoor. It plants a hidden file manager named pricing-table-3.php inside the active theme so the operator can browse directories, upload new files, or delete evidence. It also creates a high‑privilege administrator account called “officialwp”, downloads an additional plugin wp-bot-protect.php, and activates it to reinforce persistence. If defenders try to fight back, the malware can reset passwords for common admin usernames — admin, root, wpsupport, and even its own “officialwp” user — to a hard‑coded value chosen by the attacker. That combination both keeps the intruder in and locks real administrators out.

Why this tactic is spreading

Abusing mu‑plugins is not brand‑new, but incidents have risen through 2025 because the technique sidesteps the cues defenders rely on. Mu‑plugins don’t show up in wp‑admin’s plugin list, they load on every page, and many site owners never audit the mu-plugins directory at all. Earlier reports this year documented threat actors using the same folder to fetch payloads, inject spam, hijack images, and run multiple classes of malicious code, underscoring that attackers see the directory as a reliable hiding place.

What this means for victims

With an mu‑plugins backdoor in place, an intruder effectively holds the keys to the site. They can steal data, inject scripts that deliver malware to visitors, redirect traffic to scams, plant additional webshells, or wipe content and deface pages. Because the loader re‑fetches its instructions and can change behavior on command, clean‑up attempts that miss even a single component risk seeing the infection reappear hours later. Sucuri’s analysis stresses that remote command execution via the backdoor allows attackers to alter tactics on the fly, making swift and thorough remediation essential.

How to respond and prevent a repeat

Site owners should assume persistence and work methodically. Inspect wp-content/mu-plugins/ for unknown files like wp-index.php or test-mu-plugin.php, review the wp_options table for suspicious keys such as _hdra_core, and search theme and plugin directories for unexpected PHP files, including the planted pricing-table-3.php. Remove malicious files, purge injected options, rotate all admin passwords, and delete rogue accounts like officialwp. Only after the filesystem and database are clean should you bring the site back online. Finally, bring WordPress core, themes, and plugins up to date, enable two‑factor authentication, restrict write access, and schedule regular audits of the mu‑plugins, themes, and plugins folders to catch stealth implants early. These recommendations align with guidance from Sucuri and multiple independent write‑ups tracking the same technique.