Stealth Backdoor Found in WordPress MU-Plugins: Hackers Gain Secret Admin Access

Hackers have found a new way to hide backdoors in WordPress websites by using something called MU-Plugins. This method is dangerous because it gives them admin-level access while staying hidden from the website owner. The tactic was recently discovered and is now raising alarms in the cybersecurity community.

MU-Plugins, or Must-Use Plugins, are a special type of WordPress plugin that load automatically on every page. What makes them different is that they don’t show up in the regular plugin section of the WordPress dashboard. That means even if you’re looking for malicious plugins, you might completely miss them unless you know where to look.

In this case, attackers are dropping a file named wp-index.php into the MU-Plugins folder. This file is designed to contact an external server, but the connection is hidden using a basic text trick called ROT13, which scrambles the URL. Once decoded, the plugin pulls malicious code from the remote server and begins the infection process.

The downloaded code isn’t just stored temporarily, it’s also saved in the site’s database under a hidden entry named _hdra_core. From there, it gets written to disk briefly, executed to perform its malicious tasks, and then immediately deleted, leaving almost no visible trace behind.

Once inside the system, the backdoor gives full control to the hacker. It secretly creates an admin account called officialwp, which is used to access the site without detection. In some cases, it even resets the passwords of existing admin users like “admin”, “root”, or “wpsupport”, effectively locking out the real site owner.

The malware doesn’t stop there. It also uploads a second file called wp-bot-protect.php, which acts as a backup plan. If the admin tries to remove parts of the infection, this hidden plugin can restore the malware and keep the backdoor alive. This shows that the attackers built this system to be long-lasting and hard to kill.

The main danger here is how stealthy the whole setup is. Most site owners don’t even know what MU-Plugins are, let alone that something can be hiding there. Since the backdoor uses standard WordPress features in clever ways, it’s not flagged by most security plugins or scanners unless you’re specifically checking for it.

Security experts are recommending that WordPress site owners immediately check their wp-content/mu-plugins directory. If you never installed anything there, it should be empty. If it’s not, there’s a chance you’ve been compromised. In that case, remove suspicious files, reset all passwords, and scan your full website immediately.

It’s also a good idea to enable two-factor authentication on all admin accounts, keep your plugins and themes updated, and avoid using weak usernames like “admin” or “test.” Hackers often rely on common targets, and strong security practices can block them before they get in.

This new backdoor attack is another reminder that even familiar platforms like WordPress can be misused in sophisticated ways. As attackers become more creative, staying aware of lesser-known features like MU-Plugins is essential to keeping your website secure.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news