WP-SHELLSTORM Is Actively Backdooring WordPress Sites at Scale
What Happened
A cybercrime crew running an operation now dubbed WP-SHELLSTORM made a costly mistake: they left their own command-and-control server exposed on the public internet for three weeks. Researchers who found the open server retrieved the full contents of the operation — custom exploitation tooling, victim logs, and a target list of more than 1.4 million WordPress domains.
According to The Hacker News, the number of sites actually compromised is smaller than the target list, but the campaign is ongoing. The exposed infrastructure revealed automated tooling built specifically to mass-probe WordPress installations and deploy persistent backdoors on vulnerable targets.
Why It Matters
A backdoor is far more dangerous than a one-time breach. Attackers can return weeks or months after initial access to:
- Serve malware to your visitors
- Host phishing pages targeting your users or third parties
- Redirect traffic to ad fraud or cryptomining operations
- Use your server as a relay in further attacks
- Exfiltrate stored credentials or customer data
WordPress powers roughly 40% of all websites, making it a permanently high-value target. WP-SHELLSTORM sweeps automatically — a target list of 1.4 million domains makes the indiscriminate scale clear. The larger problem: most site owners will not know they've been compromised. Backdoors are typically hidden in unexpected locations, obfuscated, or injected into legitimate files to blend in with normal code.
What To Do Right Now
If you run any WordPress site, treat this as an active threat and audit immediately:
1. Scan for malicious files — run Wordfence or use Sucuri SiteCheck to identify known backdoor signatures.
2. Check for unauthorized admin accounts — go to wp-admin → Users and remove any accounts you don't recognize.
3. Find recently modified PHP files — SSH in and run:
find /path/to/wordpress -name "*.php" -newer /path/to/wordpress/index.php -ls
Pay close attention to wp-content/uploads/ — PHP files there are nearly always malicious.
4. Verify core file integrity — with WP-CLI:
wp core verify-checksums
5. Update everything — WordPress core, all themes, all plugins. These campaigns heavily exploit known vulnerabilities in outdated plugin versions.
6. Lock down uploads — wp-content/uploads/ should not be PHP-executable. On most hosts: chmod 755 wp-content/uploads and confirm your server config blocks PHP execution in that directory.
7. Add a WAF — Cloudflare's free tier or a plugin-level firewall (Wordfence, NinjaFirewall) blocks the automated probe patterns this crew relies on.
If you find a backdoor, do not simply delete the file and move on. Assume multiple persistence mechanisms are in place. Take the site offline, restore from a known-clean backup, rotate all credentials (database password, SFTP, hosting panel), and perform a full audit before bringing the site back live.
Synthesized by Claude · sanity-checked before publish.