Investigating the 'slince_golden' WordPress Backdoor
Jun 3, 2025
trunc_team

Over the past few weeks we've observed a wave of scanners targeting WordPress sites looking for backdoors with a parameter called slince_golden (a play on "Silence is Golden," used by WordPress on empty index files). It has been going on for a while, and it is not a new backdoor, but just recently we decided to look more into it since we could not find any articles or public information about it.



First, the scanners look mostly for these 3 files: .wp-content.php, .wp-includes.php, and .wp-admin.php, which do not exist in the standard WordPress installation. And all the requests include query strings such as ?slince_golden=test and additional encoded parameters like &is=%40ikisifre&m=[a-z]_. This is how the logs look like:



[REDACTED] 146.19.215.12 "GET /wp-admin/.wp-admin.php?slince_golden=test"
[REDACTED] 146.19.215.12 "GET /wp-content/.wp-content.php?slince_golden=test"
[REDACTED] 146.19.215.12 "GET /wp-include/.wp-include.php?slince_golden=test"
[REDACTED] 146.19.215.118 "POST /wp-includes/.wp-includes.php?slince_golden=true&is=%40ikisifre&m=drw_"
[REDACTED] 146.19.215.118 "POST /wp-admin/.wp-admin.php?slince_golden=true&m=sks_"
[REDACTED] 146.19.215.118 "POST /wp-content/.wp-content.php?slince_golden=true&m=zwf_"


Note that the presence of these files on a site strongly suggests either prior compromise (e.g., a webshell upload) and that the attackers are using them to reinfect the site and/or modify whatever malware they already uploaded there. Legitimate WordPress core directories should never contain dot-prefixed or duplicate-named PHP files. Detection tip: Defenders are encouraged to set up alerts for access to hidden PHP files and validate all core files against clean installs.



Technical Analysis: What 'slince_golden' Is Really Doing
We only see the scanners looking for this backdoor, but we don't have access to any site compromised by it. However, searching online, we found the actual PHP code that is tied to the slince_golden keyword. It attempts to:

  • 1- Download and execute remote PHP webshells from r57shell[.]net, a known malicious domain for sharing backdoors.
  • 2- Write backdoor code into hidden files like .wp-content.php and others inside core directories
  • 3- Use slince_golden as a test or trigger — returning <!-- //Silence is golden. --> to signal successful installation
  • 4- Enable remote code execution via URL parameters such as ?f=base64_decode&c=encoded_payload

So the attackers scan for 'slince_golden' to identify sites that have been compromised.



Top IP Addresses Involved
From our monitoring, the following IPs have been the most active in scanning or attempting access using the slince_golden parameter past 7 days:

  • 146.19.215.118 — 1,757 requests (28.7%)
  • 45.61.161.124 — 1,018 requests (16.6%)
  • 196.251.69.118 — 658 requests (10.7%)
  • 196.251.69.125 — 584 requests (9.5%)
These IPs should be considered for temporary blocking or further analysis.



And that's it. We found interesting that specific keyword on some many scan against multiple sites and decided to spend some time looking into it. Let us know if you want additional information for us to look more.



Logging Guides

We love logs. In this section we will share some articles from our team to help you get better at logging.

Trunc Logging

Logging for fun and a good night of sleep.

  • Real time search
  • Google simple
  • Cheap
  • Just works
  • PCI compliance
Contact us!

Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org

Tired of price gouging
  • Clear pricing
  • No need to guess
  • Real people
  • Real logging

Simple, Affordable, Log Management and Analysis.

14 days free trial. No credit card required.