WP-SHELLSTORM Exposed: Hackers Backdoored Thousands of WordPress Websites  | eSecurity Planet

WP-SHELLSTORM Exposed: Hackers Backdoored Thousands of WordPress Websites 

An exposed WP-SHELLSTORM server revealed how attackers used known vulnerabilities to automate large-scale WordPress website compromises.

Written By
Ken Underhill
Ken Underhill
Jul 10, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A simple operational mistake by a cybercrime group has provided researchers with an inside look at how large-scale website compromises are conducted.

According to research from SOCRadar, an internet-exposed server belonging to a threat group tracked as WP-SHELLSTORM remained publicly accessible for approximately three weeks. 

“WP-SHELLSTORM is industrialized cybercrime made visible because someone left a Python SimpleHTTPServer directory open without authentication for 22 days,” said Jacob Krell, senior director, secure AI solutions and cybersecurity at SuzuLabs, in an email to eSecurityPlanet.

He added, “Many organizations still assess their external exposure only when a major Common Vulnerabilities and Exposures entry is published or during periodic vulnerability assessments.”

Key takeaways

  • An exposed WP-SHELLSTORM server revealed how attackers automated large-scale WordPress website compromises using known vulnerabilities.
  • The campaign primarily targeted outdated WordPress plugins and Joomla components rather than relying on zero-day exploits.
  • More than 1.4 million websites appeared on attacker target lists, but researchers confirmed that far fewer were successfully compromised.
  • The exposed infrastructure also uncovered an earlier campaign that stole enterprise cloud credentials before shifting to mass website backdooring. 

How WP-SHELLSTORM compromised WordPress websites 

WP-SHELLSTORM operated as a webshell access brokerage, compromising websites in bulk before reselling access. 

Their server contained roughly 800 MB of data, including exploit tools, webshells, target lists, activity logs, and command histories. 

The exposed files revealed how the group compromised vulnerable websites, providing new insight into a large-scale WordPress webshell operation. 

Rather than using zero-day vulnerabilities, the group automated attacks against known flaws in outdated WordPress plugins, exposing weaknesses in WordPress website security. 

Known WordPress vulnerabilities fueled the attacks 

Researchers found the toolkit supported exploitation of 27 known vulnerabilities, although a small number accounted for most of the activity. 

The most successful attack targeted the Breeze WordPress caching plugin (CVE-2026-3844), which attackers launched against more than 45,000 websites. 

According to the group’s own logs, more than 17,000 webshells were deployed, making it one of the largest documented WordPress webshell attacks observed this year. 

Advertisement

Breeze and Joomla vulnerabilities were key targets 

However, researchers noted that the vulnerability only affects Breeze installations where the non-default “Host Files Locally – Gravatars” option is enabled, limiting the number of truly vulnerable websites.

The attackers also heavily targeted CVE-2026-48907, which is a Joomla JCE Editor vulnerability.

Large target lists did not equal large-scale compromise

The exposed data referenced more than 1.4 million websites, but researchers cautioned that this number represented scanning targets rather than confirmed victims.

One file alone contained over 587,000 Joomla domains selected for scanning. 

After removing duplicates and validating successful compromises, Ctrl-Alt-Intel identified approximately 25,195 compromised websites, while SOCRadar observed more than 5,700 active webshells during its analysis.

Webshells provided persistent access

Once attackers successfully exploited a vulnerable website during the WordPress webshell attack, they installed an obfuscated webshell called down.php, which researchers believe was derived from the open-source Chinese webshell BestShell.

The backdoor enabled attackers to execute commands remotely, browse files, steal credentials, establish reverse shells, and move laterally throughout compromised environments.

For additional persistence, the operators deployed the SNOWLIGHT dropper to install VShell, a remote access tool designed to disguise itself as a legitimate Linux kernel worker process by using names such as [kworker/0:2].

Although VShell has appeared in campaigns linked to suspected Chinese state actors, researchers said it is also widely used by Chinese-speaking cybercriminals. 

As a result, its presence alone does not indicate nation-state involvement.

Advertisement

Researchers uncovered an earlier credential theft campaign

The exposed server also revealed evidence of an earlier campaign conducted before launching the large-scale WordPress webshell attack. 

According to SOCRadar, the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and steal configuration data from organizations.

Researchers also recovered cloud credentials for AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, along with database passwords and cryptographic keys.

SOCRadar believes the sequence suggests the group first harvested enterprise credentials before shifting toward the higher volume website backdooring campaign.

Operational mistakes exposed the attackers

Despite operating a sophisticated toolkit, the threat actors made several operational security errors.

The group left an unauthenticated Python web server publicly accessible for 22 days, exposing internal command histories, FOFA search configurations, exploit scripts, and infrastructure details. 

Researchers also observed evidence that the operators attempted to delete portions of the logs after realizing the exposure, but the effort came too late.

Based on Simplified Chinese found throughout the files, the use of FOFA, and the malware employed, researchers assess with moderate to high confidence that the operators are Chinese or Chinese-speaking. 

However, SOCRadar believes the campaign was financially motivated rather than linked to a government-sponsored operation.

Advertisement

How organizations can reduce risk

Organizations responsible for WordPress website security or Joomla environments should prioritize installing the latest security updates.

To reduce the risk of similar attacks:

  • Patch WordPress, Joomla, and all plugins, prioritizing vulnerabilities known to be under active exploitation based on the research.
  • Remove or disable unused plugins, themes, and extensions to reduce your overall attack surface.
  • Continuously monitor websites for unauthorized file changes, suspicious webshells, and other indicators of a WordPress webshell attack. 
  • Hunt for indicators of compromise, including suspicious files such as .bd.php, .wp-log.php, and .brq-*.php, as well as fake [kworker] processes with executable paths or network connections.
  • Rotate credentials and API keys if vulnerable systems, such as exposed Nacos servers, may have been compromised.
  • Test incident response plans and use simulations with scenarios around website compromise. 

Collectively, these measures can help organizations reduce overall exposure and build resilience.

Bottom Line

The WP-SHELLSTORM operation serves as another reminder that effective WordPress website security depends on consistently addressing known risks, not just responding to the latest threats.  

As threat actors increasingly leverage AI to identify targets and scale attacks, automated exploitation of known vulnerabilities continues to fuel large-scale WordPress webshell campaigns. 

Organizations can reduce risk by combining timely patching or virtual patching, continuous monitoring, tested incident response plans, and zero trust principles that help limit the blast radius of successful compromises. 

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.