Malicious actors are increasingly using the 'mu-plugins' directory on WordPress sites to manipulate and compromise website security. Mu-plugins, or must-use plugins, are executed automatically by the WordPress framework, rendering them less visible to users who may overlook them during security checks. Security investigations revealed multiple instances of rogue PHP scripts, including those that redirect users to malicious sites and inject unwanted spam. This trend raises alarms about persistent threats and the importance of cybersecurity vigilance in web management.
Threat actors are using the mu-plugins directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites.
This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks.
The script includes a function that identifies whether the current visitor is a bot, allowing the script to exclude search engine crawlers and prevent them from detecting the redirection behavior.
In the incidents analyzed, three different kinds of rogue PHP code have been discovered in the mu-plugins directory that target user security.
Collection
[
|
...
]