A new malware threatens the security of WordPress

Cybersecurity researchers have revealed a serious vulnerability in WordPress sites, related to a hidden backdoor in the ‘mu-plugins’ directory. These types of plugins, known as must-use, are automatically activated in all WordPress installations and do not appear in the usual plugin list, making them an attractive target for attackers.

What to do to avoid it

The malicious PHP script, discovered by the web security company Sucuri, acts as a loader that retrieves a remote payload and stores it in the WordPress database. This payload allows for remote PHP code execution, facilitating persistent access for attackers, who can manage files and reinstall the infection if it is removed.

The malware injects a hidden administrator user called ‘officialwp’, allowing attackers to control the site and perform malicious actions without other administrators being aware. Additionally, the malicious code has the ability to change the passwords of administrative accounts to a default value, blocking access to other administrators and ensuring total control of the site.

The threat is amplified by the ability of the malware to steal data and redirect visitors to fraudulent sites, which significantly impacts web security. According to experts, this backdoor allows attackers to perform a variety of actions, from installing more malware to defacing the site.

To mitigate these risks, site owners must periodically update WordPress, themes, and plugins, use two-factor authentication, and regularly audit all sections of the site, including theme and plugin files. Maintaining security is crucial to prevent attacks that could compromise the integrity and trust of the website.