Pierluigi Paganini July 24, 2025

A new stealth backdoor has been discovered in the WordPress mu-plugins folder, granting attackers persistent access and control over compromised sites.

Sucuri researchers found a stealthy backdoor hidden in WordPress’s “mu-plugins” folder. These plugins auto-run and allow attackers to stay hidden in admin, and maintain persistence.

“must-use plugins” are special WordPress plugins that cannot be deactivated from the WordPress admin panel.
The experts found a malicious PHP file (“wp-index.php”) in the mu-plugins folder acting as a loader. It fetches an obfuscated (ROT13) payload, then stores it in the WordPress database under the _hdra_core option.

The backdoor writes the payload to disk and runs it. It uses ROT13, a simple, reversible letter-shift trick (e.g., “HelloWorld” → “UryybJbeyq”. Each letter is rotated 13 places in the alphabet (A↔N, B↔O, C↔P, etc.).) to hide its code, which is not real encryption, just basic obfuscation.

The malware decodes a ROT13 URL to fetch a base64-encoded payload, stealthily stores it in the WordPress _hdra_core option, then decodes and executes it, leaving a minimal trace. The payload, from cron.php, includes a hidden file manager (pricing-table-3.php) and creates an admin user (officialwp). It also force-installs a malicious plugin (wp-bot-protect.php) to restore the backdoor if removed.

”Alarmingly, this malware also includes a function to change the passwords of several common admin usernames (including admin, root, wpsupport, and even its own officialwp user) to a default password set by the attacker.” Reads the report published by Sucuri.

“This is a way for the attacker to regain access if the legitimate admin changes their password, or to lock out other admins.”

This malware is highly dangerous as it grants attackers full admin access, allowing them to control the site, steal data, and install more malware. It hides in mu-plugins, stores payloads in the database, and deletes traces after execution. It evades detection, reinstalls itself if removed, and allows remote command execution. Once compromised, the website can be used for broader attacks, making it a persistent and stealthy threat that’s hard to detect and remove.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)