Back to Intelligence

WP-SHELLSTORM: Mass WordPress Backdoor Campaign Exposed — Defense Guide

SA
Security Arsenal Team
July 11, 2026
5 min read

Introduction

In July 2026, the security community gained a rare, unobstructed view into a massive cybercrime operation due to a significant operational security failure by the threat actors. A server used by the crew behind "WP-SHELLSTORM" was left exposed on the internet for three weeks without authentication. This leak provided researchers with access to hacking tools, activity logs, and a target list containing over 1.4 million websites.

While the number of confirmed compromises is lower than the total targets, the exposed data reveals a highly automated mass-hacking operation focused on WordPress instances. The attackers are systematically deploying webshells to maintain persistence, likely for SEO spam, redirect fraud, or serving malware. For defenders, this is not a theoretical risk; the internal logs confirm active exploitation. Immediate action is required to identify webshells and close the security gaps allowing this initial access.

Technical Analysis

Threat Actor: WP-SHELLSTORM (tracked name based on internal tooling discovered on the exposed server).

Affected Products: WordPress CMS (all versions potentially vulnerable depending on plugin/theme posture).

CVE Identifiers: No specific CVE was cited in the source reporting for this campaign; however, the attackers likely leverage vulnerabilities in WordPress plugins or themes published in 2025-2026 or weak credentials.

Attack Chain:

  1. Reconnaissance: The exposed server contained target lists, indicating the actors use automated scanners to identify WordPress hosts.
  2. Initial Access: The operation exploits vulnerabilities in third-party plugins/themes or utilizes brute-force attacks against administrative credentials.
  3. Execution & Persistence: Upon successful access, the attackers deploy PHP-based webshells (backdoors). These are often obfuscated and placed in writable directories like /wp-content/uploads/ to blend in with legitimate media files.
  4. Command & Control (C2): The webshells receive commands from the actor's infrastructure, allowing for remote code execution (RCE) directly on the web server.

Exploitation Status: Confirmed active exploitation. The logs found on the exposed server detail successful intrusions and subsequent webshell deployment against live targets.

Detection & Response

The following detection mechanisms focus on the primary persistence mechanism observed in this campaign: the creation of PHP webshells in unexpected directories and suspicious CLI execution.

SIGMA Rules

YAML
---
title: WP-SHELLSTORM Webshell Creation in Uploads Directory
id: 8c4f3d21-1a9e-4b5c-9e2d-1f3b4c5d6e7f
status: experimental
description: Detects the creation of PHP files in the WordPress uploads directory, a common location for webshell persistence in mass compromises.
references:
  - https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  product: linux
  category: file_event
detection:
  selection:
    TargetFilename|contains: '/wp-content/uploads/'
    TargetFilename|endswith: '.php'
  condition: selection
falsepositives:
  - Legitimate plugins generating cache files (rare in uploads)
  - Misconfigured upload forms allowing PHP execution
criticality: high
---
title: Suspicious PHP CLI Execution
id: 9d5e4f32-2b0f-5c6d-0f3e-2g4c5d6e7f8g
status: experimental
description: Detects execution of PHP via command line with code execution flags (-r) often used by webshells or automated scripts.
references:
  - https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith: '/php'
    CommandLine|contains: '-r'
  condition: selection
falsepositives:
  - Administrative scripts using php -r for updates
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the creation of PHP files within the WordPress uploads directory, a key indicator of the WP-SHELLSTORM methodology.

KQL — Microsoft Sentinel / Defender
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains @"/wp-content/uploads/"
| where FileName endswith ".php"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, SHA256
| order by Timestamp desc

Velociraptor VQL

Hunt artifact to locate PHP files deposited in the uploads directory, which should typically contain images or media, not executable code.

VQL — Velociraptor
-- Hunt for PHP files in WordPress uploads directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/html/**/wp-content/uploads/**/*.php')
WHERE Mtime > ago("-7d")

Remediation Script (Bash)

A bash script to scan for common webshell signatures and suspicious files in WordPress uploads directories. This should be run as root or the web server user.

Bash / Shell
#!/bin/bash

# WP-SHELLSTORM Remediation Script
# Scans for common webshell patterns in wp-content/uploads

UPLOAD_DIR="/var/www/html/wp-content/uploads"
LOG_FILE="/tmp/wp_shellstorm_scan.log"

# Common webshell functions/strings to scan for
PATTERNS=("eval(" "base64_decode" "gzinflate" "str_rot13" "assert(" "create_function" "passthru" "shell_exec" "system(" "exec(" "popen(" "proc_open")

echo "Starting scan for WP-SHELLSTORM indicators in $UPLOAD_DIR..." | tee -a "$LOG_FILE"

# Find .php files in uploads directory
find "$UPLOAD_DIR" -type f -name "*.php" -print0 | while IFS= read -r -d '' file; do
    echo "Checking: $file" | tee -a "$LOG_FILE"
    
    # Check for suspicious strings
    for pattern in "${PATTERNS[@]}"; do
        if grep -qi "$pattern" "$file"; then
            echo "[ALERT] Suspicious pattern '$pattern' found in $file" | tee -a "$LOG_FILE"
        fi
    done
done

echo "Scan complete. Review $LOG_FILE for details."

Remediation

  1. Identify and Remove Webshells: Use the detection script above to locate malicious PHP files. Do not simply delete them; analyze the content to understand the scope of the breach. Restore affected files from a clean backup if available.
  2. Update and Patch: Ensure WordPress core, all plugins, and themes are updated to their latest versions. Pay special attention to any plugins known to have vulnerabilities in 2025-2026.
  3. Credential Reset: Assume all administrative credentials have been compromised. Force a password reset for all users with administrative privileges and enforce strong password policies and Multi-Factor Authentication (MFA).
  4. Access Control: Verify file permissions. The wp-content/uploads/ directory should never have execute permissions for scripts. Ensure .htaccess or nginx.conf rules explicitly deny the execution of PHP in upload directories.
  5. Integrity Monitoring: Implement File Integrity Monitoring (FIM) to alert on any future creation or modification of PHP files in the wp-content directory tree.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchwordpresswebshellwp-shellstormcms-securitythreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.