A new method of abuse targeting WordPress websites has been observed, where attackers are planting malicious code inside the lesser-known mu-plugins
(must-use plugins) directory. This approach helps them hide their presence, maintain long-term access, and manipulate website content for malicious purposes.
Unlike regular plugins, mu-plugins are automatically loaded by WordPress and cannot be deactivated or managed through the standard admin interface. They reside in the wp-content/mu-plugins
folder and are not visible through the normal plugin management page. This makes them an effective place to hide unauthorized scripts, especially in cases where administrators do not routinely inspect this directory.
Recent investigations revealed the use of three different PHP scripts placed inside this folder by attackers:
-
redirect.php
– This file silently redirects visitors to malicious external websites. In many cases, it displays fake browser update messages to trick users into downloading harmful software. The code includes checks to avoid triggering redirections for bots or search engine crawlers, which helps the attackers avoid early detection. -
index.php
– This script provides shell-like access by allowing remote code execution. It can download and run external PHP code from services like GitHub, effectively giving full control of the site to the attacker. -
custom-js-loader.php
– This file injects unwanted content onto the infected website, including spam and potentially explicit material. It may also hijack all images on the site and replace them, as well as redirect outbound links to scam or SEO manipulation domains.
These scripts allow attackers to use compromised sites as platforms for spam campaigns, malware distribution, and even phishing. In some cases, these WordPress sites are also used to inject malicious JavaScript that either skims payment data on checkout pages or forces visitors to interact with fake CAPTCHA challenges, which in turn download and execute PowerShell commands on their systems. This technique, often referred to as “ClickFix,” is commonly used to deploy malware such as Lumma Stealer.
The method of initial access remains unclear. However, common causes include outdated or vulnerable plugins and themes, weak or reused administrator passwords, and insecure server configurations.
These incidents highlight the importance of checking all plugin directories — including mu-plugins — and regularly auditing file integrity and server activity. Simply relying on the WordPress dashboard is not enough to detect or prevent these types of attacks.
Website owners are encouraged to:
-
Regularly scan all WordPress directories for unfamiliar or recently modified files
-
Use file integrity monitoring tools
-
Limit write access on plugin directories
-
Keep all themes, plugins, and the core CMS updated
-
Review access logs for suspicious behavior
By understanding how lesser-known WordPress features like mu-plugins can be abused, administrators can take more effective steps to protect their websites from hidden threats.