A brand new safety situation is placing WordPress-powered web sites in danger. Hackers are abusing the “Should-Use” plugins (MU-plugins) function to cover malicious code and keep long-term entry on hacked web sites.
In earlier 2025, safety researchers at Sucuri observed cybercriminals utilizing the tactic, they usually say that it has been more and more used the approach within the months since.
In WordPress, MU-plugins are plugins which might be robotically enabled on a WordPress-powered web site and – as the outline suggests – should be used, and subsequently cannot be deactivated by means of the WordPress admin interface.
These “must-use plugins” are positioned in a selected listing referred to as, imaginatively sufficient, mu-plugins inside the wp-content folder. Not like common WordPress plugins, they will not be listed alongside common plugins until the “should use” filter is chosen.
What makes a plugin “must-use”? Properly, any plugin that’s important for the location’s performance and shouldn’t be turned off. This may occasionally embody safety enhancements, efficiency optimisation, or multi-site administration options {that a} web site’s builders or directors have deemed crucial to stay lively.
So there’s a good professional purpose for a WordPress web site to have “must-use” plugins, though many WordPress customers could also be largely oblivious to their existence.
In response to researchers, an assault sometimes begins when hackers compromise an internet site (usually by way of an out-of-date WordPress plugin, or weak password). As soon as an attacker has gained entry, they’ll plant a malicious PHP file into the mu-plugins folder, successfully giving it a persistent foothold on the web site.
Sucuri’s staff say they’ve seen three malicious MU-plugins being deployed in in-the-wild assaults:
- redirect.php – Sends web site guests to a bogus browser replace web page that downloads malware.
- index.php – A backdoor which grants attackers distant entry to the compromised server.
- custom-js-loader.php – Replaces web site content material with spam hyperlinks or express pictures.
These hidden mu-plugins run the hackers’ code on each web page of the web site, and might reinfect a complete web site if nice care shouldn’t be taken to take away an an infection.
In an try to keep away from detection too quickly, the redirect plugin code avoids activating whether it is seen by one of many web site’s personal logged-in directors or a search engine bot.
In fact, no one needs a hacker having a backdoor to their web site – granting an unauthorised get together admin-level management. A malicious attacker with such energy can steal information, create new admin accounts, or use your web site to unfold malware.
Moreover, it’s possible you’ll discover any visitors coming to your web site is redirected by the malicious mu-plugins planted by the cybercriminals elsewhere on the web, doing hurt to what you are promoting and your model.
And it is unhealthy information in your web site’s guests too. Anybody visiting an contaminated web site is placing their pc vulnerable to potential malware an infection.
The perfect recommendation is to harden your WordPress web site, by making certain that you just use robust, distinctive passwords and have enabled two-factor authentication.
Moreover, monitor your web site for uncommon behaviour, and guarantee which might be protecting WordPress and any professional plugins and themes your web site makes use of correctly up to date.
Lastly, if you happen to suspect your WordPress-powered web site may very well be internet hosting malicious MU-plugins, look within the wp-content/mu-plugins folder. Should you do not use MU-plugins it ought to be empty.
