The attackers are constantly lurking
I've recently been contracted to conduct a maintenance and security audit of several WooCommerce websites, mostly targeting visitors from Poland.
While the client has around 8 websites where they sell various stuff, we started with the two most important to them, which makes total sense.
And I could tell from the start it was a mess...
In CyberSecurity, more is less
I could spend a lot of time describing the mess that I was instantly able to see over SFTP.
A bunch of folders from plugins that aren't even existing on the site anymore, a publicly exposed debug.log file, more files and folders in the wp-content and wp-content/uploads folders than you could imagine.
Then on the WP dashboard side:
- 21 pending plugin updates
- A pending active theme update
- A bunch of inactive plugins
- No security headers present
- Clogged autoloaded options in the wp_options table
- Somewhat outdated PHP version
- ...
But all that is fairly common in my day-to-day work. After all, I'm mostly hired by clients who are aware that their website needs proper care and maintenance.
What struck my attention the most was the number of security plugins:
- All-In-One Security (AIOS)
- Anti-Malware Security and Brute-Force Firewall
- Really Simple Security
- Sucuri Security - Auditing, Malware Scanner, and Hardening
- WordFence
These 5 security plugins were all installed at the same time, like someone shared candies for each security plugin you add to your website.
In my practice, I primarily use WordFence, so I didn't thoroughly review the settings of the other four security plugins.
Instead, I proposed removing all four of them and properly configuring WordFence.
Having 5 security plugins on the site was not only conflicting and dragging the website performance down.
They were also not properly configured, thus not optimally protecting the website.
Reconfiguring WordFence and running a full scan
After deleting the other four security plugins, I did a "standard" setup of WordFence that I do for most of my clients:
- Set the scans to compare the theme and plugin files against originals in the repositories
- Set the scans for suspicious admin users, strength of passwords
- Hide the WordPress version
- Disable Code Execution for the Uploads directory
- Enforced better brute-force protection
- Optimized the Web Application Firewall settings
Apart from WordFence, we also updated all plugins, some of which had vulnerabilities.
We removed a bunch of unnecessary files and folders, and implemented most of the recommended security headers:
- Upgrade Insecure Requests
- X-XSS protection
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
- HTTP Strict Transport Security
All of this has already done wonders for the security of the site, and the stage was set for a full WordFence scan.
The site has more than 300k files, so the scan took a few hours. But it was well worth it.
An obfuscated webshell in the gallery folder
After several hours of scanning, the Wordfence scan was finally completed.
It pointed to a dozen subscriber accounts with weak passwords, a couple of abandoned plugins (plugins that aren't actively maintained or updated by the original developer), and a couple of plugins that have an active vulnerability.
But the top found result was almost unexpected at this point...
I did manually review and delete a bunch of stuff, and we were aware of some vulnerabilities.
But until this point, there were no signs of an APT (active persistent threat) on the site.
Yet, we were wrong.
In the /public_html/wp-content/gallery/oneofthemanygalleries/ folder, WordFence found and identified a file named: xpZNQbnC.php.
I opened the file and immediately knew it was malicious:
So I ended up converting the ASCII codes to strings and revealed the pulled URL:
https://raw.githubusercontent.com/MrXcoderofficial/Mrxshell2025/refs/heads/main/xwp.php
By further analyzing the file from the URL above, it quickly became obvious that this is a classic “WSO-style” webshell, just obfuscated and slightly renamed (Mr.X WSO Webshell 2025).
In a nutshell, this webshell:
- Sets up a cookie-based “auth” using a hash of the host.
- Tweaks error_reporting, set_time_limit, and strips magic quotes.
- Detects OS (win vs nix), current working directory, document root, etc.
- Implements a file manager with actions to:
- Upload files (uploadFile)
- Create directories (mkdir)
- Delete files and folders recursively (delete with Deletedir() function)
- Rename files
- Read and edit files
Or in other words, the website was fully compromised, with lots of space for the attacker to set up persistence, and pivot further from there (either to other websites or other parts of the server).
Don't wait until it's too late
We cleaned up this file and patched all known vulnerabilities.
Have also set up various protective measures and active scans that will help us locate any further file changes and even capture any potentially malicious traffic.
But this fight is not over yet.
We're yet to confirm that the attacker is gone, and that all other sites and the server as a whole are clean, updated, secured, and protected.
And it's not an easy job.
This website has more than 220k WooCommerce orders, so just imagine the potential impact if the attacker were here from the start and patiently recorded the payment details of each customer.
But I guess that's something we're yet to unravel.
For now, I can only urge you to keep your site updated and maintained regularly.
And if you need professional help, you can always reach out.
Stay safe!