Threat actors are exploiting the Wordpress mu-plugins ("Must-Use Plugins") directory to secretly execute malicious code on each page while avoiding detection.
The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.
Talking about the increase in mu-plugins infections, Sucuri's security analyst Puja Srivastava said, “attackers are actively targeting this directory as a persistent foothold.”
About "Must-have" malware
Must-Use Plugins are a kind of WordPress plugin that automatically runs on every page load without the need to be activated in the admin dashboard. Mu-plugins are files stored in the 'wp-content/mu-plugins/' and are not listed in the regular “Plugins” admin page, except when the “Must-Use” filter is checked.
They have genuine use cases like implementing site-wide functionality for custom security rules, dynamically changing variables/codes, and performance tweaks. But as these plugins run every page load and aren’t shown in the standard plugin list, hackers can exploit them to secretly run a variety of malicious activities like injecting malicious code, changing HTML output, or stealing credentials.
Sucuri found three payloads that hackers are deploying in the mu-plugins directory, suspected to be a part of a larger money aimed campaign.
According to Sucuri, these include:
Fake Update Redirect Malware: Detected in the file wp-content/mu-plugins/redirect.php, this malware redirected site visitors to an external malicious website.
Webshell: Found in ./wp-content/mu-plugins/index.php, it allows attackers to execute arbitrary code, granting them near-complete control over the site.
A spam injector: a spam injection script located in wp-content/mu-plugins/custom-js-loader.php. This script was being used to inject unwanted spam content onto the infected website, possibly to boost SEO rankings for malicious actors or promote scams.
How do you spot it?
A few obvious signs can help to spot this malware. One unusual behavior on the site is unauthorized user redirections to external malicious websites. Secondly, malicious files with weird names appear inside the mu-plugins directory, spoofing real plugins. Third, site admins may observe “elevated server resource usage with no clear explanation, along with unexpected file modifications or the inclusion of unauthorized code in critical directories,” according to Sucuri.
