Exposed Server Reveals 25,000 Compromised WordPress Websites

Exposed Server Reveals 25,000 Compromised WordPress Websites

Exposed Server Reveals 25,000 Compromised WordPress Websites

Source: ChatGPT

An exposed WP-SHELLSTORM server revealed tools, logs, cloud credentials, and thousands of webshells used in a large website hacking campaign.

Written By
Ken Underhill
Ken Underhill
Jul 10, 2026

A simple operational mistake by a cybercrime group has given researchers an inside look at how large-scale website compromises are carried out.

According to research from SOCRadar, an internet-exposed server belonging to a threat group tracked as WP-SHELLSTORM remained publicly accessible for approximately three weeks.

“WP-SHELLSTORM is industrialized cybercrime made visible because someone left a Python SimpleHTTPServer directory open without authentication for 22 days,” said Jacob Krell, senior director, secure AI solutions and cybersecurity at SuzuLabs, in an email to eSecurityPlanet.

He added, “Many organizations still assess their external exposure only when a major Common Vulnerabilities and Exposures entry is published or during periodic vulnerability assessments.”

Key takeaways from the hack

  • An exposed WP-SHELLSTORM server revealed how attackers automated large-scale WordPress website compromises using known vulnerabilities.
  • The campaign primarily targeted outdated WordPress plugins and Joomla components rather than relying on zero-day exploits.
  • More than 1.4 million websites appeared on attacker target lists, but researchers confirmed that far fewer were successfully compromised.
  • The exposed infrastructure also uncovered an earlier campaign that stole enterprise cloud credentials before shifting to mass website backdooring.

How WP-SHELLSTORM compromised WordPress websites

WP-SHELLSTORM operated as a webshell access brokerage, compromising websites in bulk before reselling access.

Their server contained roughly 800 MB of data, including exploit tools, webshells, target lists, activity logs, and command histories.

The exposed files revealed how the group compromised vulnerable websites, providing new insight into a large-scale WordPress webshell operation. Rather than using zero-day vulnerabilities, the group automated attacks against known flaws in outdated WordPress plugins, exposing weaknesses in WordPress website security.

Known WordPress vulnerabilities fueled the attacks

Researchers found the toolkit supported exploitation of 27 known vulnerabilities, although a small number accounted for most of the activity. The most successful attack targeted the Breeze WordPress caching plugin (CVE-2026-3844), which attackers launched against more than 45,000 websites.

According to the group’s own logs, more than 17,000 webshells were deployed, making it one of the largest documented WordPress webshell attacks observed this year.

Advertisement

Breeze and Joomla vulnerabilities were key targets

However, researchers noted that the vulnerability affects only Breeze installations in which the non-default “Host Files Locally – Gravatars” option is enabled, thereby limiting the number of truly vulnerable websites.

The attackers also targeted CVE-2026-48907, a Joomla JCE Editor vulnerability.

Large target lists did not equal large-scale compromise

The exposed data referenced more than 1.4 million websites, but researchers cautioned that this number represented scanning targets rather than confirmed victims.

One file alone contained over 587,000 Joomla domains selected for scanning.

After removing duplicates and validating successful compromises, Ctrl-Alt-Intel identified approximately 25,195 compromised websites, while SOCRadar observed more than 5,700 active webshells during its analysis.

Webshells provided persistent access

Once attackers successfully exploited a vulnerable website during the WordPress webshell attack, they installed an obfuscated webshell called down.php, which researchers believe was derived from the open-source Chinese webshell BestShell.

The backdoor enabled attackers to execute commands remotely, browse files, steal credentials, establish reverse shells, and move laterally throughout compromised environments.

For additional persistence, the operators deployed the SNOWLIGHT dropper to install VShell, a remote access tool that disguises itself as a legitimate Linux kernel worker process by using names such as [kworker/0:2].

Although VShell has appeared in campaigns linked to suspected Chinese state actors, researchers said it is also widely used by Chinese-speaking cybercriminals. As a result, its presence alone does not indicate nation-state involvement.

Advertisement

Researchers uncovered an earlier credential theft campaign

The exposed server also revealed evidence of an earlier campaign conducted before launching the large-scale WordPress webshell attack.

According to SOCRadar, the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and steal configuration data from organizations.

Researchers also recovered cloud credentials for AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, along with database passwords and cryptographic keys.

SOCRadar believes the sequence suggests the group first harvested enterprise credentials before shifting toward the higher volume website backdooring campaign.

Must-read security coverage

Operational mistakes exposed the attackers

Despite operating a sophisticated toolkit, the threat actors made several operational security errors.

The group left an unauthenticated Python web server publicly accessible for 22 days, exposing internal command histories, FOFA search configurations, exploit scripts, and infrastructure details. Researchers also observed evidence that the operators attempted to delete portions of the logs after realizing the exposure, but the effort came too late.

Based on Simplified Chinese found throughout the files, the use of FOFA, and the malware employed, researchers assess with moderate to high confidence that the operators are Chinese or Chinese-speaking.

However, SOCRadar believes the campaign was financially motivated rather than linked to a government-sponsored operation.

Advertisement

How organizations can reduce risk

Organizations responsible for WordPress website security or Joomla environments should prioritize installing the latest security updates.

To reduce the risk of similar attacks:

  • Patch WordPress, Joomla, and all plugins, prioritizing vulnerabilities known to be under active exploitation based on the research.
  • Remove or disable unused plugins, themes, and extensions to reduce your overall attack surface.
  • Continuously monitor websites for unauthorized file changes, suspicious webshells, and other indicators of a WordPress webshell attack.
  • Hunt for indicators of compromise, including suspicious files such as .bd.php, .wp-log.php, and .brq-*.php, as well as fake [kworker] processes with executable paths or network connections.
  • Rotate credentials and API keys if vulnerable systems, such as exposed Nacos servers, may have been compromised.
  • Test incident response plans and use simulations with scenarios around website compromise.

Collectively, these measures can help organizations reduce overall exposure and build resilience.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.