A stealthy backdoor is targeting WordPress sites by posing as a harmless JavaScript asset. In reality, it’s a PHP script that logs attackers in as administrators without any credentials. Here’s what’s going on, how to spot it, and how to protect your business.

What’s going on

The malware hides in /wp-admin/js/mr_skk/data.php — an unusual place for a PHP file. When accessed directly, it:

• Hunts for wp-config.php and loads the full WordPress environment via wp-load.php.
• Automatically selects an administrator account and creates a valid login session.
• Redirects to the dashboard, sometimes adding a tracking parameter like ?platform=000webhost.
• Includes template-loader.php so the request looks like a normal page load, helping it blend in.

How the backdoor works (in plain English)

• Hidden in plain sight: It’s stored under wp-admin/js/ to resemble a data file, not executable code.
• Abuses WordPress functions: Custom functions (e.g. auto_login(), get_user_id()) call legitimate APIs such as wp_set_current_user() and wp_set_auth_cookie() to impersonate an admin.
• No new accounts: It hijacks an existing administrator, so user audits may look clean.
• Looks legitimate in logs: Because WordPress hooks fire as usual (like wp_login), some security tools record it as a normal login.
• Persistent access: It creates real authentication cookies, often lasting up to 14 days by default.

Why this matters to your business

• Total control for attackers: They can install rogue plugins, change content, exfiltrate data or add further backdoors.
• Reputation & SEO risk: Compromised sites lose visitor trust and may trigger browser or search warnings.
• Operational impact: Recovery takes time and diverts resources away from growth.

Warning signs

• Unusual PHP file(s) under /wp-admin/js/, especially mr_skk/data.php.
• Admin access appearing without corresponding username/password events.
• Redirects to admin URLs that include odd parameters (e.g. ?platform=000webhost).
• Unexpected editor access, plugin installs or changes to themes with no recorded user action.

What to do now (quick response)

1. Shield with a WAF: Put the site behind a web application firewall to filter malicious traffic while you investigate.
2. Remove the backdoor: Via SFTP/SSH, delete /wp-admin/js/mr_skk/ and any other suspicious PHP files in JavaScript or upload directories. Keep a copy for forensics.
3. Scan thoroughly: Run a server-side scan to detect additional backdoors and injected code across core, plugins and themes. Follow with professional malware removal if needed.
4. Audit admin accounts & sessions: Review all administrators, revoke unknown sessions, and enforce 2FA.
5. Rotate credentials: Change WordPress, hosting, database and SFTP/SSH passwords; regenerate salts and keys.
6. Check logs & outbound calls: Look for direct requests to the backdoor path and any callbacks to unfamiliar domains; block at the firewall.
7. Update & harden: Apply the latest core, plugin and theme updates; disable file editing; restrict write permissions.

Prevention and ongoing protection

• Security monitoring: Enable file integrity alerts and behavioural security monitoring to catch changes early.
• Managed updates: Regular, tested updates as part of proactive website maintenance reduce exposure.
• WAF in front of WordPress: A reputable web application firewall (WAF) adds virtual patching and bot mitigation for stronger malware protection.
• Least-privilege access: Limit admin roles, use strong unique passwords, and enforce 2FA for all privileged users.
• Backups & recovery: Keep automated, off-site backups so you can restore quickly after malware removal.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

If you’ve spotted suspicious admin activity or files where they shouldn’t be, we’ll help you clean up calmly and strengthen your WordPress security. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.