Our team recently uncovered a growing trend: hackers are hiding malware in a lesser-known part of WordPress called the mu-plugins folder. This method allows the malware to stay hidden and run automatically every time your site loads.
Let’s break down what this means, why it matters, and how you can protect your site.
What Are Mu-Plugins—and Why Are They a Target?
Mu-plugins stands for “Must-Use plugins.” These plugins are stored in a special folder and load automatically with every page of your site. They don’t appear in the normal WordPress Plugins menu, which makes them easy to overlook.
Hackers love this because:
-
The plugins run silently in the background.
-
Most website owners never check this folder.
-
They can use it to stay hidden for a long time.
What Kind of Malware Is Being Hidden?
We’ve identified three common types of malware hiding in the mu-plugins folder:
1. Redirect Malware
This type of malware quietly sends your visitors to other (malicious) websites. Most of the time, bots and site admins are excluded from the redirect—so you won’t even notice the issue right away.
2. Webshell (Remote Code Execution)
A webshell is a hidden backdoor that lets hackers control your website remotely. They can run commands, steal data, and even upload more malware.
3. Spam Injector
This one’s nasty. It replaces all your site’s images with inappropriate content and hijacks every link click—redirecting users to adult content or spammy sites.
Signs Your Site Might Be Infected
If your WordPress site is infected, you may notice:
-
Visitors being redirected to sketchy websites.
-
Unfamiliar files in the
/wp-content/mu-plugins/directory. -
Strange increases in server load or performance issues.
-
Changes to your site content, especially images and links.
How Do These Infections Happen?
Hackers often gain access through:
-
Outdated plugins or themes with known security flaws.
-
Weak or stolen admin passwords.
-
Poor hosting security or incorrect file permissions.
Once inside, they drop the malware into the mu-plugins folder—where it loads automatically every time WordPress runs.
How to Protect Your WordPress Site
Here’s how you can stay protected:
✅ Scan your website regularly, especially the mu-plugins folder.
✅ Delete any suspicious files or plugins you don’t recognize.
✅ Check your WordPress users for unknown admin accounts.
✅ Update everything—WordPress, plugins, and themes.
✅ Change your passwords and enable two-factor authentication (2FA).
✅ Use a security plugin to monitor file changes and alert you to problems.
The rise of malware in mu-plugins is a reminder that hackers are always looking for new ways to hide in plain sight. If you’re running a WordPress site, regular security checks are no longer optional—they’re essential.
Need help scanning your site or recovering from an infection? VISTECH’s WordPress security experts are here to help. We can identify hidden threats, clean your site, and set up safeguards to prevent future attacks.
Protect your site before it’s too late. Contact VISTECH today for a free consultation.