Summary: Hackers are increasingly leveraging WordPressβs mu-plugins directory to execute malicious code undetected on every page load. This method, which was first identified in February 2025, enables various harmful activities, including credential theft and redirection to malware-laden sites. Security analysts recommend that WordPress site administrators enhance their security measures to safeguard against these threats.
Affected: WordPress sites
Keypoints :
- Attackers exploit the mu-plugins directory, allowing persistent malicious code execution without admin activation.
- Three main payloads identified: redirect.php, index.php (backdoor), and custom-js-loader.php (malicious JavaScript).
- Recommendations include applying security updates, uninstalling unnecessary plugins, and implementing strong account protections.