Threat actors are increasingly exploiting the “mu-plugins” directory in WordPress to conceal malicious code and maintain persistent access. These must-use plugins, automatically loaded on every page without activation, make the directory an ideal target for attackers to hide malware. This stealthy approach avoids detection by regular security checks, as the files do not appear in the standard plugin interface, allowing them to evade common security scans. Researchers have discovered several types of malicious PHP code being deployed, such as “redirect.php,” “index.php,” and “custom-js-loader.php,” which cause significant harm to infected websites.
The “redirect.php” file is used to send visitors to malicious websites, often under the guise of a system update.
This redirection targets regular users while avoiding bots and administrators to remain undetected. “Index.php,” on the other hand, acts as a web shell that grants attackers remote access, allowing them to execute arbitrary code from external servers. This gives attackers control over the site, enabling further malware deployment or data theft. Meanwhile, “custom-js-loader.php” injects spam content, replacing legitimate images and hijacking outbound links to promote scams or manipulate SEO rankings.
These tactics reflect a broader strategy by threat actors to use compromised WordPress sites as tools for fraud, data theft, and further infections.
The malware identified has various purposes, including redirecting traffic, taking control of the site, and injecting spam content. The attack aims at both financial gain and maintaining long-term access to compromised sites. The stealthy nature of the malware makes it difficult for administrators to detect without thorough security audits, which is why site owners must be vigilant in monitoring for unusual behaviors, like unexpected file modifications or elevated server usage.
The vulnerabilities that allow these attacks are often linked to weak plugins or compromised server configurations. Sucuri researchers have noted a rise in malware hidden in the mu-plugins directory and urge WordPress site owners to regularly update plugins, enforce strong passwords, and install firewalls to block malicious activities. With attackers exploiting this hidden directory for backdoors and persistence, it’s critical to adopt comprehensive security practices to prevent such breaches and limit the spread of malicious code on WordPress sites.
