CyberSecurity news
FlagThis
Bill Toulas@BleepingComputer
//
WordPress sites are under attack as threat actors exploit the "mu-plugins" directory to conceal malicious code, enabling persistent remote access and redirecting visitors to bogus sites. The "mu-plugins," or must-use plugins, are automatically executed by WordPress without explicit activation, making them an ideal location for staging malware and evading detection. This approach represents a concerning trend because these plugins are often overlooked during routine security checks, making them easier to ignore.
Researchers have identified three kinds of malicious code in the "wp-content/mu-plugins" directory. One, named "redirect.php," redirects site visitors to malicious websites. Another, named "index.php," offers web shell-like functionality, letting attackers execute arbitrary code. The third, named "custom-js-loader.php," injects unwanted spam onto infected websites, replacing images with explicit content and hijacking outbound links.
The "redirect.php" script disguises itself as a web browser update to trick victims into installing malware that steals data. The script is designed to avoid detection by search engine crawlers, only redirecting regular site visitors. The attacks are likely facilitated by vulnerable plugins or themes, compromised admin credentials, and server misconfigurations. To protect against such attacks, administrators should keep WordPress, plugins, and themes updated, use strong passwords, and enable two-factor authentication.
ImgSrc: www.bleepstatic
References :
Researchers have identified three kinds of malicious code in the "wp-content/mu-plugins" directory. One, named "redirect.php," redirects site visitors to malicious websites. Another, named "index.php," offers web shell-like functionality, letting attackers execute arbitrary code. The third, named "custom-js-loader.php," injects unwanted spam onto infected websites, replacing images with explicit content and hijacking outbound links.
The "redirect.php" script disguises itself as a web browser update to trick victims into installing malware that steals data. The script is designed to avoid detection by search engine crawlers, only redirecting regular site visitors. The attacks are likely facilitated by vulnerable plugins or themes, compromised admin credentials, and server misconfigurations. To protect against such attacks, administrators should keep WordPress, plugins, and themes updated, use strong passwords, and enable two-factor authentication.
ImgSrc: www.bleepstatic
Share:
References :
- The DefendOps Diaries: Understanding the Threat: WordPress MU-Plugins and Security Risks
- The Hacker News: Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images
- BleepingComputer: Hackers abuse WordPress MU-Plugins to hide malicious code
- www.scworld.com: WordPress attackers hide malware in overlooked plugins directory
- Vulnerable U: Stealthy WordPress Malware Exploits Mu-Plugins Directory
- bsky.app: Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.
- Cyber Security News: Threat Actors Hide Malware in WordPress Sites to Execute Remote Code
- gbhackers.com: Threat Actors Embed Malware in WordPress Sites to Enable Remote Code Execution
Classification:
- HashTags: #WordPress #Malware #Security
- Company: WordPress
- Target: WordPress Websites
- Product: WordPress
- Feature: Exploitation of mu-plugins dir
- Malware: wordpress mu-plugins
- Type: Hack
- Severity: High