Ethical Hacking News
Hackers are using the WordPress mu-plugins directory to run malicious code on millions of sites. The technique involves exploiting known vulnerabilities in plugins and themes or weak admin account credentials. Site admins can protect themselves by applying regular security updates, disabling unused plugins, and strengthening their user accounts.
Security researchers at Sucuri have found that hackers are using the WordPress mu-plugins directory to run malicious code on millions of sites. The mu-plugins directory is a special type of plugin that automatically executes PHP files without needing activation in the admin dashboard. Mu-plugins can be used for legitimate purposes, but also have potential for malicious activity such as credential theft and HTML output alteration. Three distinct payloads (redirect.php, index.php, custom-js-loader.php) have been discovered that attackers are using to exploit the mu-plugins directory. Security experts recommend applying security updates, disabling/uninstalling unnecessary plugins/themes, and protecting admin accounts with strong credentials and multi-factor authentication.
In a recent discovery, security researchers at Sucuri have found that hackers are utilizing the WordPress mu-plugins directory to stealthily run malicious code on millions of sites. This technique has been observed since February 2025 but is now being adopted by threat actors at an alarming rate.
The WordPress MU-Plugin directory is a special type of plugin that automatically executes PHP files on every page load without needing to be activated in the admin dashboard. These files are stored in the 'wp-content/mu-plugins/' directory and do not appear in the standard plugin list unless the "Must-Use" filter is checked.
While mu-plugins have legitimate use cases such as enforcing site-wide functionality for custom security rules, performance tweaks, and dynamically modifying variables or other code, they can also be used to perform a wide range of malicious activity, including stealing credentials, injecting malicious code, or altering HTML output.
Sucuri has discovered three distinct payloads that attackers are using to exploit the mu-plugins directory. The first payload is redirect.php, which redirects visitors (excluding bots and logged-in admins) to a malicious website called updatesnow[.]net. This fake browser update prompt tricked users into downloading malware.
The second payload is index.php, which acts as a webshell that fetches and executes PHP code from a GitHub repository. This makes it possible for attackers to remotely execute commands on the server, steal data, and launch downstream attacks on members/visitors.
The third payload is custom-js-loader.php, which loads JavaScript that replaces all images on the site with explicit content and hijacks all outbound links, opening shady popups instead.
Sucuri has not yet determined how attackers are exploiting known vulnerabilities in plugins and themes or weak admin account credentials. However, security experts recommend that WordPress site admins apply security updates to their plugins and themes, disable or uninstall those that aren't needed, and protect privileged accounts with strong credentials and multi-factor authentication.
This discovery highlights the ever-evolving nature of cyber threats and emphasizes the importance of continuous monitoring and maintenance of website security.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-WordPress-MU-Plugins-to-Hide-Malicious-Code-on-Millions-of-Sites-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code/
https://thehackernews.com/2025/03/hackers-exploit-wordpress-mu-plugins-to.html
Published: Mon Mar 31 12:40:33 2025 by llama3.2 3B Q4_K_M
