Threat actors are exploiting the WordPress mu-plugins (“Must-Use Plugins”) directory to secretly execute malicious code on each page while avoiding detection.
The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.
Talking about the increase in mu-plugins infections, Sucuri’s security analyst Puja Srivastava said, “attackers are actively targeting this directory as a persistent foothold.”
About “Must-have” malware
Must-Use Plugins are a kind of WordPress plugin that automatically runs on every page load without the need to be activated in the admin dashboard. Mu-plugins are files stored in the ‘wp-content/mu-plugins/’ and are not listed in the regular “Plugins” admin page, except when the “Must-Use” filter is checked.
They have genuine use cases like implementing site-wide functionality for custom security rules, dynamically changing variables/codes, and performance tweaks. But as these plugins run every page load and aren’t shown in the standard plugin list, hackers can exploit them to secretly run a va
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.