March 31, 2025 By Bill Toulas
Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection.
The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.
"The fact that we've seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold," explains Sucuri's security analyst Puja Srivastava.
"Must-have" malware
Must-Use Plugins (mu-plugins) are a special type of WordPress plugin that automatically execute on every page load without needing to be activated in the admin dashboard.
They are PHP files stored in the 'wp-content/mu-plugins/' directory that automatically execute when the page is loaded, and they are not listed in the regular "Plugins" admin page unless the "Must-Use" filter is checked.
