blindthoughts
breaking

WP-SHELLSTORM Is Actively Backdooring WordPress Sites at Scale

What Happened

A cybercrime crew running an operation now dubbed WP-SHELLSTORM made a costly mistake: they left their own command-and-control server exposed on the public internet for three weeks. Researchers who found the open server retrieved the full contents of the operation — custom exploitation tooling, victim logs, and a target list of more than 1.4 million WordPress domains.

According to The Hacker News, the number of sites actually compromised is smaller than the target list, but the campaign is ongoing. The exposed infrastructure revealed automated tooling built specifically to mass-probe WordPress installations and deploy persistent backdoors on vulnerable targets.

Why It Matters

A backdoor is far more dangerous than a one-time breach. Attackers can return weeks or months after initial access to:

WordPress powers roughly 40% of all websites, making it a permanently high-value target. WP-SHELLSTORM sweeps automatically — a target list of 1.4 million domains makes the indiscriminate scale clear. The larger problem: most site owners will not know they've been compromised. Backdoors are typically hidden in unexpected locations, obfuscated, or injected into legitimate files to blend in with normal code.

What To Do Right Now

If you run any WordPress site, treat this as an active threat and audit immediately:

1. Scan for malicious files — run Wordfence or use Sucuri SiteCheck to identify known backdoor signatures.

2. Check for unauthorized admin accounts — go to wp-admin → Users and remove any accounts you don't recognize.

3. Find recently modified PHP files — SSH in and run:

find /path/to/wordpress -name "*.php" -newer /path/to/wordpress/index.php -ls

Pay close attention to wp-content/uploads/ — PHP files there are nearly always malicious.

4. Verify core file integrity — with WP-CLI:

wp core verify-checksums

5. Update everything — WordPress core, all themes, all plugins. These campaigns heavily exploit known vulnerabilities in outdated plugin versions.

6. Lock down uploadswp-content/uploads/ should not be PHP-executable. On most hosts: chmod 755 wp-content/uploads and confirm your server config blocks PHP execution in that directory.

7. Add a WAF — Cloudflare's free tier or a plugin-level firewall (Wordfence, NinjaFirewall) blocks the automated probe patterns this crew relies on.

If you find a backdoor, do not simply delete the file and move on. Assume multiple persistence mechanisms are in place. Take the site offline, restore from a known-clean backup, rotate all credentials (database password, SFTP, hosting panel), and perform a full audit before bringing the site back live.

Sources
  1. Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?