WordPress Sites Under Threat from Stealthy MU Plugins
Cybercriminals are exploiting WordPress MU plugins (commonly known as “must-use” plugins) to maintain persistent access to WordPress sites. By disguising their backdoors or malicious scripts as MU plugins, attackers can evade standard plugin checks and remain undetected. These sneaky plugins load automatically whenever WordPress runs, making it easy for hackers to insert and run malicious code. Security researchers warn that many site owners are unaware of the role MU plugins play, which makes these backdoors particularly effective. The article recommends closely monitoring file changes, regularly reviewing what’s in the MU plugins folder, and applying updates to minimise the risk of compromise.
A new breed of WordPress attacks is taking advantage of “must-use” (MU) plugins—an often overlooked feature that loads these plugins automatically on any WordPress site. Hackers have learnt to hide malicious scripts within this folder, providing them with a persistent backdoor and helping them bypass regular plugin audits.
Why MU Plugins Are a Concern
Most WordPress site owners focus on traditional plugins and themes, forgetting that MU plugins load by default. That gives attackers who place rogue MU plugins a consistent foothold, potentially allowing them to steal data, deface pages, or even seize full control of the website.
How to Protect Your Site
• Audit MU Plugins: Keep a close eye on the mu-plugins directory and remove anything suspicious.
• Use a File Integrity Monitor: This can help identify unexpected changes.
• Keep Everything Updated: Always install the latest WordPress core, theme, and plugin updates to reduce vulnerabilities.
• Enable Security Plugins: A reputable security plugin can often detect or block dodgy behaviours in your system.
By treating MU plugins with the same vigilance you apply to other parts of WordPress, you’ll be in a stronger position to thwart these stealthy attacks.