Photo by Nikita Belokhonov on <a href="https://www.pexels.com/photo/anonymous-hacker-with-on-laptop-in-white-room-5829726/" rel="nofollow">Pexels.com</a>
Hackers are exploiting the WordPress mu-plugins (“Must-Use Plugins”) directory to secretly execute malicious code on every page load, evading detection. This tactic was first identified by security researchers at Sucuri in February 2025 and is becoming increasingly common.
MU-plugins are special plugins that run automatically without needing activation in the admin dashboard. They are stored in the wp-content/mu-plugins/ directory and are not visible in the standard plugins list unless specifically filtered.
Attackers have been using this directory to deploy various types of malware, including:
redirect.php: Redirects users to a malicious site that tricks them into downloading malware.
index.php: A webshell that provides a backdoor for remote command execution.
custom-js-loader.php: Loads JavaScript that replaces site images with explicit content and hijacks outbound links.
The webshell poses a significant threat as it allows attackers to execute commands on the server and potentially steal data. Sucuri emphasizes the importance of securing WordPress sites by applying updates to plugins, disabling unnecessary ones, and using strong credentials with multi-factor authentication.
About the Author
