A brand new safety difficulty is placing WordPress-powered web sites in danger. Hackers are abusing the “Should-Use” plugins (MU-plugins) function to cover malicious code and preserve long-term entry on hacked web sites.
In earlier 2025, safety researchers at Sucuri seen cybercriminals utilizing the tactic, and so they say that it has been more and more used the approach within the months since.
In WordPress, MU-plugins are plugins which are routinely enabled on a WordPress-powered website and – as the outline suggests – should be used, and due to this fact can’t be deactivated by way of the WordPress admin interface.
These “must-use plugins” are situated in a selected listing referred to as, imaginatively sufficient, mu-plugins inside the wp-content folder. In contrast to common WordPress plugins, they will not be listed alongside common plugins until the “should use” filter is chosen.
What makes a plugin “must-use”? Effectively, any plugin that’s important for the location’s performance and shouldn’t be turned off. This will embody safety enhancements, efficiency optimisation, or multi-site administration options {that a} website’s builders or directors have deemed essential to stay lively.
So there’s a good reliable cause for a WordPress website to have “must-use” plugins, though many WordPress customers could also be largely oblivious to their existence.
In accordance with researchers, an assault usually begins when hackers compromise a web site (usually by way of an out-of-date WordPress plugin, or weak password). As soon as an attacker has gained entry, they are going to plant a malicious PHP file into the mu-plugins folder, successfully giving it a persistent foothold on the web site.
Sucuri’s crew say they’ve seen three malicious MU-plugins being deployed in in-the-wild assaults:
- redirect.php – Sends web site guests to a bogus browser replace web page that downloads malware.
- index.php – A backdoor which grants attackers distant entry to the compromised server.
- custom-js-loader.php – Replaces web site content material with spam hyperlinks or express photos.
These hidden mu-plugins run the hackers’ code on each web page of the web site, and might reinfect a whole website if nice care will not be taken to take away an an infection.
In an try to keep away from detection too quickly, the redirect plugin code avoids activating whether it is seen by one of many web site’s personal logged-in directors or a search engine bot.
After all, no one needs a hacker having a backdoor to their web site – granting an unauthorised occasion admin-level management. A malicious attacker with such energy can steal knowledge, create new admin accounts, or use your web site to unfold malware.
Moreover, you could discover any site visitors coming to your website is redirected by the malicious mu-plugins planted by the cybercriminals elsewhere on the web, doing hurt to what you are promoting and your model.
And it is unhealthy information on your web site’s guests too. Anybody visiting an contaminated website is placing their pc liable to potential malware an infection.
The most effective recommendation is to harden your WordPress website, by making certain that you simply use robust, distinctive passwords and have enabled two-factor authentication.
Moreover, monitor your website for uncommon behaviour, and guarantee which are preserving WordPress and any reliable plugins and themes your web site makes use of correctly up to date.
Lastly, if you happen to suspect your WordPress-powered web site might be internet hosting malicious MU-plugins, look within the wp-content/mu-plugins folder. When you do not use MU-plugins it needs to be empty.
