Some links on this page are affiliate links. We may earn a commission when you click through and make a purchase, at no additional cost to you.
WordPress site operators face a particularly persistent malware campaign that leverages the deprecated php-everywhere plugin to maintain long-term control. This evolving attack vector targets vulnerable plugins like LiteCache and WP-Automatic but goes beyond immediate exploitation by embedding malicious PHP code into posts, ensuring malware persistence even after conventional cleanup efforts.
Key Takeaways
- The php-everywhere plugin was used by attackers to embed arbitrary PHP code within WordPress posts, a method that allows malware to persist on infected sites.
- Malicious posts are created with titles reflecting timestamps or exploit hashes, disguising payloads inside post content to evade detection.
- The php-everywhere plugin was officially closed on April 25, 2024, but many compromised sites still run older versions vulnerable to this abuse.
- The malware drops obfuscated PHP backdoor files in the root directory that download and execute additional payloads, often disabling PHP security functions.
- Removing the php-everywhere plugin alone does not clear infections; thorough scanning for injected posts and root-level PHP files is required.
How php-everywhere Enables Persistent Malware in WordPress
The php-everywhere plugin was designed to allow site owners to run arbitrary PHP code within posts or pages. While this might have legitimate use cases in development or highly customized environments, it poses a critical risk when exploited by attackers. The recent campaign uncovered by WPScan shows that threat actors have weaponized this plugin to create multiple WordPress posts containing PHP code blocks that execute malicious payloads.
Attackers create posts with titles that look like timestamps or hashes (e.g., xtw18387d46f), which makes automated detection harder because the titles appear like random data rather than typical spam or malware markers. The actual malicious code is embedded within the post content using the plugin’s block syntax, allowing the execution of arbitrary PHP each time the post is loaded.
Because these malicious posts are stored in the WordPress database, deleting suspicious files or disabling the plugin alone will not remove the infection. The malware persists in the database, reactivating once the php-everywhere plugin is enabled or the code is triggered, leading to reinfection cycles.
Malware Payloads Dropped in the Site Root and Their Behavior
Besides injecting PHP code into posts, the malware campaign also drops obfuscated PHP files directly into the site’s root directory. One example is a file named 65f82ab408b3.php, which acts as a backdoor listener. This file accepts remote commands via HTTP requests, decoding base64-encoded PHP code sent through parameters and executing them on the server.
The attackers use these backdoors to download additional malicious scripts from external URLs, such as inc.class.ftr.php and inc.class.woopf.php. These scripts employ complex obfuscation techniques, making manual analysis difficult. They also call unlink on themselves after execution to erase traces, complicating incident response.
Notably, the campaign uploads a php.ini file with directives that disable common PHP security restrictions, including safe_mode and disable_functions. This effectively lifts many hosting-level protections, allowing the malware to operate with fewer limits.
Why This Campaign Is Particularly Challenging for WordPress Site Operators
From hands-on experience, infections that embed malicious code in the database via posts or pages are much harder to detect and clean than file-based malware. Many standard WordPress security scanners focus on filesystem anomalies, missing malicious content embedded in post content or custom blocks.
Sites running dozens of plugins, especially those with outdated or abandoned ones like php-everywhere, are at greater risk. In environments with frequent content updates or multiple authors, suspicious posts can be overlooked as legitimate content, allowing malware to remain active for weeks or months.
Moreover, the malicious backdoors’ ability to disable PHP security settings means these infections can escalate privileges or evade sandboxing measures common in shared hosting. This increases the likelihood of lateral movement within the hosting environment and persistent reinfection even after partial cleanup.
What This Means for WordPress Users
We strongly advise WordPress site operators to audit their installations for signs of this campaign immediately. First, check if the php-everywhere plugin is installed and active. If so, remove it and then perform a database search for posts containing suspicious PHP code blocks or unusual titles resembling timestamps or hashes.
Next, inspect the root directory for unfamiliar PHP files, especially those with random or hash-like filenames. These files often serve as backdoors and persist beyond plugin removal. Because the malware disables PHP protections, also verify your hosting environment’s PHP configuration to ensure security functions are enabled.
This campaign highlights the risks of using plugins that allow arbitrary PHP execution within content—a pattern that has repeatedly led to persistent infections in WordPress. Agencies and freelance developers should reconsider recommending or deploying such plugins on client sites, especially those without strict content controls.
As WordPress security increasingly focuses on layered defenses, this malware campaign signals attackers are adapting by targeting database persistence and configuration weaknesses. Managed Kinsta-melbourne-sydney-wordpress-hosting-experts/">WordPress hosting providers need to consider scanning post content, not just files, and enforcing stricter plugin vetting policies.
Frequently Asked Questions
How does the php-everywhere plugin enable malware persistence?
It allows arbitrary PHP code to be embedded and executed directly inside WordPress posts or pages. Attackers create posts containing PHP payloads that run whenever the post is accessed, maintaining control even if files are cleaned.
Is removing the php-everywhere plugin enough to clean the infection?
No. The malicious posts remain in the database and can reactivate the infection if the plugin is reinstalled or the code is triggered. Complete cleanup requires deleting injected posts and root-level backdoor files.
How can I detect these malicious posts in my WordPress site?
Search your wp_posts table for posts with suspicious titles like timestamps or random hashes and for content containing php-everywhere block code with base64-encoded PHP. Manual or plugin-based database scans can help identify them.
What hosting configurations increase risk for this malware?
Hosts that allow disabling of PHP security functions like disable_functions and safe_mode without restrictions make it easier for malware to operate undetected. Shared hosting providers should monitor for such changes and limit risky PHP configurations.
