A key WordPress feature has been hijacked to show malicious code, spam images
- Researchers from Sucuri found malicious code hiding in the mu-plugins directory
- The malware redirected visitors, served spam, and could even drop malware
- The sites were compromised through vulnerable plugins, poor admin passwords, and more
A special directory in WordPress is being abused to host malicious code, researchers has claimed, warning the code allows threat actors to remain persistent on vulnerable websites, while executing arbitrary code, redirecting people to malicious websites, and displaying unwanted spam and ads.
Researchers from Sucuri discovered threat actors were hiding malicious code in “mu-plugins” (short for Must-Use plugins), a directory that stores plugins that are activated automatically and cannot be deactivated through the admin panel.
These are typically used for essential site functionality, custom modifications, or performance optimizations that should always run.
Remote code execution risks
“This approach represents a concerning trend, as the mu-plugins are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks,” Sucuri researchers explained.
So far, the analysis uncovered three variants of malicious code – redirect.php (redirects visitors to malicious sites), index.php (remote code execution and malware dropper capabilities), and custom-js-loader.php (injects spam).
“The potential impact ranges from minor inconveniences to severe security breaches, highlighting the importance of proactive website security measures,” Sucuri warned.
Discussing how the sites might have been infected, the researchers said there were multiple ways to compromise a WordPress site. That includes exploiting a vulnerable plugin or a theme, compromised admin credentials, or abuse of poorly secured hosting environments.
To mitigate the risk, website admins should scan their WP installation for malicious files (particularly in the mu-plugins directory), check for unauthorized admin accounts, audit installed plugins, update WordPress, plugins, and themes, change all admin passwords and set up 2FA if possible, and monitor file integrity by setting up a security plugin.
WordPress is the world’s best website builder, powering the majority of the websites on the internet. As such, the platform is constantly under a barrage of cyberattacks.
Via The Hacker News