Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites
An exposed command-and-control server has provided researchers with a live playbook for the WP-SHELLSTORM campaign, which is actively automating attacks against known WordPress plugin vulnerabilities.

Anatomy of the Automated Attack
The WP-SHELLSTORM group's operational server was discovered, revealing an automated process targeting outdated WordPress plugins. The workflow systematically scans for specific, known CVEs, exploits them to gain initial access, and deploys persistent webshells. These webshells provide the attackers with sustained access to the compromised environment, allowing for credential theft, additional malware deployment, or service disruption. The ACSC corroborates this pattern, noting the campaign scans globally for vulnerable plugins across WordPress, Craft CMS, Joomla JCE, and others to plant these same persistent backdoors.
Immediate Diagnostic and Mitigation Steps
The attack surface is defined: unpatched plugins and CMS cores. The response is a forensic audit against this checklist.
1. Scan and Update: Execute wp plugin list --status=active --format=table to audit active plugins. Cross-reference every version against the latest available releases. Update all themes and core immediately.
2. Monitor for Anomalies: Check for unauthorized files, particularly in /wp-content/uploads/, /wp-content/plugins/, and the root directory. Use find /path/to/site -name "*.php" -newer /path/to/index.php to find recently modified PHP files. Correlate with access logs for unexpected POST requests to these files.
3. Harden File Permissions: Set directory permissions to 755 and files to 644. Consider making wp-content/uploads read-only if your configuration allows: chmod -R a-w /path/to/site/wp-content/uploads.
4. Audit User Accounts: Review the wp_users database table for unfamiliar admin-level accounts. Check wp_usermeta for suspicious wp_capabilities entries.
Expect a baseline TTFB increase during the scanning phase. The primary metric of compromise is the presence of unauthorized PHP files with obfuscated or encoded payloads. Remove them, then rotate all database credentials, salts, and keys in wp-config.php. This campaign's automation operates on known vulnerabilities; patching closes the vector. Monitoring for file changes is your baseline detection rule.