Massive Malware Campaign Breached 5,000 WordPress Websites

A recently uncovered malware campaign has compromised over 5,000 WordPress websites worldwide, utilizing malicious scripts to create unauthorized admin accounts, install backdoors via rogue plugins, and exfiltrate sensitive data. The attack, linked to the domain wp3[.]xyz, was first detected and blocked by the security service c/side, though the exact method of entry remains under investigation.

The campaign was brought to light by c/side, a cybersecurity service specializing in real-time website protection. One of its users was targeted by the malicious script hosted on https://wp3[.]xyz/td.js. c/side’s automated systems flagged and halted the attack, but subsequent analysis revealed a more widespread operation spanning thousands of websites. Despite the early success in stopping the infection for its client, c/side noted that it has yet to identify the initial vector the attackers used to infiltrate the websites.

Anatomy of the attack

The malicious script executes a multi-step attack to take full control of WordPress websites. The primary steps include:

1. Creating unauthorized admin accounts: The script fetches the necessary CSRF token from the WordPress admin panel and sends a POST request to create a new admin account with hardcoded credentials (username: wpx_admin). Once the account is created, attackers gain unrestricted administrative access to the site.
2. Installing a malicious plugin: Using the newly created admin account, the malware downloads a malicious plugin from the remote server https://wp3.xyz/plugin[.]php. The plugin is then uploaded to the WordPress site via the /wp-admin/update.php?action=upload-plugin endpoint and activated. This plugin serves as a backdoor to steal data and maintain persistent access.
3. Data exfiltration: The script communicates with https://wp3.xyz/tdw1[.]php to send stolen data, including admin credentials and operational logs. This communication is cleverly disguised as image requests to avoid detection. A final verification step checks whether the plugin has been successfully installed by scanning the site for references to wp3[.]xyz.

Impact on WordPress space

WordPress powers approximately 43% of websites globally, making it a prime target for cyberattacks due to its widespread adoption and extensibility. While the specific victims of this campaign have not been disclosed, the scale of the attack—impacting over 5,000 websites—suggests significant potential damage, especially to small businesses and individual site owners who may lack robust security defenses.

Website administrators and WordPress users are strongly encouraged to take immediate steps to protect their sites from this threat. Here are steps to consider:

• Add https://wp3[.]xyz to your firewall or security tool’s blocklist.
• Look for unauthorized admin users (e.g., wpx_admin) and remove them immediately.
• Delete plugins not recognized as safe or necessary and validate legitimate ones through WordPress's official repository.
• Enable Multi-Factor Authentication (MFA) for all admin accounts.
• Strengthen CSRF protections to mitigate unauthorized requests.
• Using real-time protection and monitoring tools, as well as online tools like PublicWWW and URLScan to search for references to the malicious domain in your site’s codebase.