Alert – Malware Strikes WordPress Mu Plugins

What are WordPress MU Plugins?

Must-Use plugins, or MU-Plugins, are a special type of WordPress plugin that is always activated by default and cannot be deactivated unless uninstalled. MU-Plugins, being always active, can be particularly attractive targets for hackers.

They are installed in a special directory inside the content folder and are automatically enabled on all sites in the installation. IT support providers and hosting providers often use MU-Plugins to add support for host-specific features, and help offer WordPress MU plugin malware protection.

Hackers Use WordPress MU Plugins to Hide Malicious Code

In March 2025, Sucuri security researchers uncovered multiple cases of WordPress MU plugin threat detection where threat actors are leveraging the MU-Plugins directory to hide malicious code.

This approach represents a concerning trend, as MU-Plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks.

What Was Discovered in the WordPress MU Plugins Investigation by Securi

Sucuri identified several types of malware within the MU-Plugins directory.

  1. Fake Update Redirect Malware: Detected in the file wp-content/mu-plugins/redirect.php, this malware redirected site visitors to an external malicious website.
  2. Webshell: Found in ./wp-content/mu-plugins/index.php, this allows attackers to execute arbitrary code, granting them near-complete control over the site.
  3. Spam Injector: A spam injection script located in wp-content/mu-plugins/custom-js-loader.php. This script was used to inject unwanted spam content onto the infected website, possibly to boost SEO rankings for malicious actors or promote scams.
wordpress malware strikes mu plugins speedster it london

Indicators of WordPress MU Plugins Compromise (IoCs) and WordPress MU Plugins Security

The presence of this malware can be identified by several signs.

  1. Unusual behaviour on the site, such as unauthorized redirections of users to external malicious websites.
  2. Suspicious files with uncommon or misleading names appearing within the MU-Plugins directory, often mimicking legitimate plugins.
  3. Elevated server resource usage with no clear explanation.
  4. Unexpected file modifications or the inclusion of unauthorized code in critical directories.

Scope of the WordPress MU Plugins Malware

The fact that many infections were found inside MU-Plugins suggests that attackers are actively targeting this directory as a persistent foothold.

The MU-Plugins directory is designed to automatically load plugins without requiring activation through the WordPress dashboard, making it an ideal hiding place for malware.

These infections allow attackers to:

  1. Redirect traffic to malicious websites – Disguised as a legitimate WordPress function within the redirect.php file. The script is structured to execute conditionally based on the user’s status, whether they are a bot, an administrator, or a regular visitor.
  2. Maintain persistent access via backdoors – allowing attackers to execute commands, upload files, steal data, or launch further attacks. WEB shells are often disguised as normal files and hidden in website directories, making them hard to detect.
  3. Inject spam content to manipulate SEO rankings – Replacing all images on the site with explicit content, potentially harming the website’s reputation. The code can also hijack all outbound links, opening a malicious popup instead of directing users to their intended destination.

Why do Hackers Exploit WordPress MU Plugins with Malware

Hackers target WordPress MU plugins with malware for two main reasons: monetization and persistence. These tactics help them make money and keep their malware hidden.

  1. Monetization: Hackers use malware to make money. For example, they might steal credit card details and sell them on the dark web. Another method is ransomware, where hackers encrypt files and demand payment to unlock them. If the ransom is paid, the victim gets a decryption key; if not, the hacker may block access permanently.
  2. Persistence: This means keeping the malware active and hidden for as long as possible. Hackers use techniques like rootkits, which hide the malware by modifying the operating system.

Examples of Monetization & Persistence

Understanding these tactics can help businesses and individuals protect themselves against cyber threats.

  1. Ransomware: The WannaCry attack encrypted files on thousands of computers worldwide and demanded payment in Bitcoin to unlock them.
  2. Data Theft: Hackers steal personal information, like login credentials and financial data, and sell it on the dark web.
  3. Botnets: Infected devices can be used to create a network of bots that carry out attacks, like DDoS attacks, which overwhelm a target with traffic to disrupt services.

WordPress MU Plugins Malware Prevention and Mitigation

If you think your site is infected, act quickly with malware removal from your WordPress MU:

  1. Scan for Malware: Check your WordPress installation for malicious files, especially in the mu-plugins directory.
  2. Remove Suspicious Accounts: Look for unauthorized administrator accounts and delete any that seem suspicious.
  3. Audit Plugins: Review your installed plugins and delete any that look unfamiliar.
  4. Update Everything: Make sure WordPress, plugins, and themes are updated to the latest versions to prevent reinfection.
  5. Change Passwords: Update all admin passwords and enable two-factor authentication (2FA) for added security.
  6. Monitor File Integrity: Set up a security plugin that alerts you to unexpected changes.

Speedster IT can help prevent these issues by providing expert cybersecurity services, proactive monitoring, and tailored solutions to safeguard your website. For more information or assistance, contact us at 0204 511 9111.