Hackers Exploiting WordPress mu-plugins for Stealthy Attacks

By /

Listen to this Post

Cybercriminals are increasingly using a little-known WordPress feature called “mu-plugins” to plant malicious code, allowing them to maintain persistent remote access and redirect website visitors to fraudulent pages. These must-use plugins (mu-plugins), stored in the wp-content/mu-plugins directory, automatically run on WordPress without appearing in the standard plugin interface, making them an ideal hiding spot for malware.

Recent findings by security firm Sucuri reveal that attackers leverage this tactic to execute malicious PHP scripts, manipulate site content, and redirect users to phishing sites. Even worse, these attacks are part of a broader trend in which compromised WordPress sites are being turned into staging grounds for large-scale cyber threats, including malware distribution and financial data theft.

Below, we break down how these attacks work, the vulnerabilities being exploited, and what website owners can do to protect their sites.

How Hackers Are Exploiting mu-plugins

Malicious PHP Code Variants Found in mu-plugins

Sucuri’s research uncovered three primary types of malicious scripts within the mu-plugins directory:

  1. redirect.php – Redirects website visitors to external malicious domains. Some of these pages impersonate legitimate software updates, tricking users into downloading malware.
  2. index.php – Functions as a web shell, allowing attackers to execute arbitrary PHP code remotely by fetching scripts from external sources like GitHub.
  3. custom-js-loader.php – Injects spam content and explicit images into the website, potentially harming SEO rankings and credibility. It also hijacks outbound links, rerouting users to scam sites.

One particularly deceptive aspect of these scripts is their ability to detect search engine bots and security crawlers, preventing them from flagging the malicious activity. This ensures the infected site maintains its ranking in search results, allowing the attack to continue undetected.

Growing WordPress Threats: Beyond mu-plugins

New Malware Distribution Tactics

In addition to mu-plugin exploits, hackers are weaponizing WordPress sites to distribute malware in new ways:

  • ClickFix Attacks – A deceptive method where attackers trick users into executing malicious PowerShell commands under the guise of a Google reCAPTCHA or Cloudflare CAPTCHA challenge. This often leads to the installation of Lumma Stealer, a malware that steals sensitive data from infected devices.
  • Checkout Page Skimming – Injecting malicious JavaScript into compromised WordPress sites, allowing attackers to harvest credit card details entered on e-commerce checkout pages.

Exploited WordPress Plugin Vulnerabilities

Security researchers have also identified multiple WordPress plugin vulnerabilities that hackers have been actively exploiting in 2024:

  1. CVE-2024-27956 (9.9 CVSS Score) – An SQL injection flaw in the WordPress Automatic Plugin (AI content generator and auto-poster).
  2. CVE-2024-25600 (10.0 CVSS Score) – A remote code execution vulnerability in the Bricks theme.
  3. CVE-2024-8353 (10.0 CVSS Score) – A PHP object injection flaw in the GiveWP plugin, allowing attackers to execute remote code.
  4. CVE-2024-4345 (10.0 CVSS Score) – An arbitrary file upload vulnerability in Startklar Elementor Addons, enabling hackers to upload malicious scripts.

These high-severity vulnerabilities highlight the importance of regular updates and proactive security measures for WordPress site owners.

What Undercode Says:

The Hidden Dangers of WordPress Automation

The increasing use of mu-plugins as an attack vector reveals a major blind spot in WordPress security. Since these plugins are automatically executed and invisible in the standard admin interface, they offer hackers a stealthy method to maintain persistent access.

From an analytical perspective, this technique is particularly concerning for several reasons:

  • Low Detection Rates – Many traditional WordPress security scans focus on standard plugin directories, overlooking mu-plugins entirely.
  • Widespread Impact – Since mu-plugins affect all WordPress sites running them, a single compromised installation can infect thousands of visitors in a short time.
  • Persistent Access – Unlike regular plugins that require activation, mu-plugins automatically execute, making them harder to disable.

SEO and Business Risks

Beyond security concerns, these attacks also pose significant SEO and brand reputation risks:

  • Google Blacklisting – If a site is flagged for malware distribution or phishing, search engines may remove it from search results, causing traffic to plummet.
  • Loss of Customer Trust – Visitors who encounter scams, explicit content, or redirected links may lose trust in the site, impacting business revenue and reputation.
  • Legal and Compliance Issues – Websites handling user data or financial transactions could face legal consequences if compromised due to negligence in security measures.

How to Defend Against These Attacks

Website owners and administrators should take the following steps to protect their WordPress sites:

  1. Monitor the mu-plugins Directory – Regularly check wp-content/mu-plugins/ for unauthorized files and scripts.
  2. Audit Installed Plugins and Themes – Remove outdated or suspicious plugins that could introduce vulnerabilities.
  3. Apply Security Updates Promptly – Install updates for WordPress core, themes, and plugins as soon as they are available.
  4. Use a Web Application Firewall (WAF) – A WAF can block malicious requests before they reach the site.
  5. Enable Strong Authentication – Enforce two-factor authentication (2FA) for all admin accounts to prevent unauthorized access.
  6. Regular Malware Scans – Use security plugins like Wordfence or Sucuri to scan for hidden threats.

These proactive measures can help mitigate the risks posed by mu-plugin exploits and keep WordPress sites secure from evolving cyber threats.

Fact Checker Results:

✔ Mu-plugin exploitation is a real and ongoing issue – Security research from Sucuri confirms this tactic is being actively used by hackers.

✔ WordPress plugin vulnerabilities continue to be a major risk – The Patchstack report highlights multiple high-severity flaws in 2024.

✔ Mitigation strategies are proven effective – Security best practices like plugin audits, WAF deployment, and 2FA significantly reduce the risk of exploitation.

References:

Reported By: https://thehackernews.com/2025/03/hackers-exploit-wordpress-mu-plugins-to.html
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: