Threat Actors Embed Malware in WordPress Sites to Enable Remote Code Execution

Security researchers have uncovered a new wave of cyberattacks targeting WordPress websites through the exploitation of the “mu-plugins” (Must-Use plugins) directory.

This directory, designed to load plugins automatically without requiring activation, has become an attractive hiding spot for threat actors due to its low visibility in standard WordPress interfaces.

The malware embedded in this directory enables attackers to execute remote code, redirect traffic, and inject spam content, posing significant risks to website security.

Techniques Used by Attackers

Researchers identified three distinct malware variants within the mu-plugins directory:

1. Fake Update Redirect Malware: Found in the redirect.php file, this malware redirects site visitors to malicious external websites. By disguising itself as a legitimate update mechanism, it avoids detection by bots and administrators while targeting regular users.
2. Remote Code Execution Webshell: A more sophisticated attack was discovered in the index.php file. This webshell allows attackers to download and execute remote PHP ...