Cybercriminals are exploiting a little-known feature in WordPress known as “mu-plugins” to inject malicious code, enabling persistent access to infected sites. Their goal is to hijack site images, insert spam, and redirect visitors to fraudulent websites, all while remaining undetected.
What Are WordPress mu-Plugins?
Must-use plugins, or mu-plugins, reside in a special directory (wp-content/mu-plugins). Unlike regular plugins, they activate automatically and do not appear in the WordPress admin panel. This makes them an attractive hiding spot for malware, as site administrators may overlook them during security checks.
“This approach represents a concerning trend,” noted Sucuri researcher Puja Srivastava. “Mu-plugins do not appear in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks.”
How Hackers Are Abusing mu-Plugins
Recent investigations by Sucuri uncovered three different types of malicious PHP scripts hidden in the mu-plugins directory:
redirect.php– Redirects visitors to external malicious websites, often disguised as fake browser updates to trick users into downloading malware.index.php– Functions as a backdoor, allowing attackers to execute arbitrary code by pulling scripts from remote sources, such as GitHub.custom-js-loader.php– Injects spam content, replaces all images on the site with explicit content, and hijacks outbound links to direct traffic to scam sites.
The redirect.php script even includes a function to detect whether a visitor is a bot, allowing attackers to exclude search engine crawlers and avoid detection by security tools.
Expanding Tactics: WordPress as a Malware Distribution Platform
Hackers are increasingly using compromised WordPress sites to distribute malware. One alarming tactic involves deceiving users into executing malicious PowerShell commands on their Windows machines by presenting fake Google reCAPTCHA or Cloudflare CAPTCHA prompts. This technique, known as ClickFix, is being used to spread the Lumma Stealer malware.
Another method involves injecting malicious JavaScript into hacked WordPress pages. These scripts can either redirect visitors to dangerous third-party domains or act as skimmers, stealing financial information entered on checkout pages.
How Are WordPress Sites Being Compromised?
While the exact methods used to breach WordPress sites in these attacks are unclear, common vulnerabilities include:
Outdated or insecure plugins and themes
Weak or compromised admin credentials
Misconfigured servers exposing WordPress to remote attacks
Exploited Vulnerabilities in WordPress Plugins and Themes
According to a Patchstack report, hackers have been actively exploiting critical security flaws in WordPress plugins since early 2024. Some of the most severe include:
CVE-2024-27956 (CVSS 9.9): Unauthenticated SQL execution vulnerability in WordPress Automatic Plugin (AI content generator & auto-poster)
CVE-2024-25600 (CVSS 10.0): Remote code execution (RCE) vulnerability in Bricks theme
CVE-2024-8353 (CVSS 10.0): PHP object injection to RCE in GiveWP plugin
CVE-2024-4345 (CVSS 10.0): Arbitrary file upload vulnerability in Startklar Elementor Addons
How to Protect Your WordPress Site
To mitigate these threats, WordPress site owners should take proactive security measures:
Regular Updates: Keep all plugins, themes, and core WordPress files up to date.
Security Audits: Regularly scan for malware and suspicious code, especially in the mu-plugins directory.
Strong Authentication: Use strong passwords and implement two-factor authentication (2FA) for admin accounts.
Web Application Firewall (WAF): Deploy a WAF to block malicious requests and prevent code injections.
Restrict Plugin Installations: Limit plugin installations to only trusted sources and disable unnecessary features that could be exploited.
Conclusion
Hackers are becoming more sophisticated in exploiting WordPress vulnerabilities, and the abuse of mu-plugins is a clear example of how attackers can maintain stealthy persistence. Website administrators must stay vigilant, regularly inspect their sites, and implement robust security measures to prevent unauthorized access. Keeping WordPress secure is not just about protecting a website—it’s about safeguarding users from cyber threats that can compromise their data and privacy.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Quick Machine Recovery: Microsoft’s Solution to Windows 11 Startup Issues