WordPress glossary

C2 Server (Command and Control)

An external server that compromised WordPress sites beacon to for instructions, payloads, or stolen data.

Last updated 27 June 2026 · Reviewed by Ali Yasin Jatoi

After initial compromise, malware on a WordPress site phones home to a C2 (command and control) server to receive new spam URLs, updated redirect targets, or exfiltrate admin credentials. Outbound calls often hide inside legitimate looking endpoints (cache, usererp, analytics). Block known C2 hosts at the WAF and grep wp-content for hardcoded external URLs as part of every incident response.

Related terms

mu-plugin Malware
Malicious code dropped into wp-content/mu-plugins/ so WordPress auto-loads it on every request without showing it in the plugins screen.
Trojanized Core File
A WordPress core file (like wp-blog-header.php or wp-load.php) modified to load attacker code on every request.
wp-adminerlzp Hidden Admin User
A persistence backdoor that re-creates a rogue WordPress administrator with a wp-adminerlzp-style username after every cleanup.

When this comes up in the wild

mu-plugin malware that keeps coming backIncident playbook
IOC moat: WordPress hack fingerprints we trackIncident playbook

Need this fixed, not just defined?

We have shipped hundreds of fixes for exactly this kind of issue. Book a 20 minute call and we will tell you straight whether it is a quick fix or a bigger root cause.

Book a 20 minute call +92 346 600 8404

robots.txt Hijack Knowledge Panel

Call Book a call