Threat actors are using the “mu-plugins” directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites.
mu-plugins, short for must-use plugins, refers to plugins in a special directory (“wp-content/mu-plugins”) that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware.
“This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks,” Sucuri researcher Puja Srivastava said in an analysis.
In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory –
- “wp-content/mu-plugins/redirect.php,” which redirects site visitors to an external malicious website
- “wp-content/mu-plugins/index.php,” which offers web shell-like functionality, letting attackers execute arbitrary code by downloading a remote PHP script hosted on GitHub
- “wp-content/mu-plugins/custom-js-loader.php,” which injects unwanted spam onto the infected website, likely with an intent to promote scams or manipulate SEO rankings, by replacing all images on the site with explicit content and hijacking outbound links to malicious sites
The “redirect.php,” Sucuri said, masquerades as a web browser update to deceive victims into installing malware that can steal data or drop additional payloads.
“The script includes a function that identifies whether the current visitor is a bot,” Srivastava explained. “This allows the script to exclude search engine crawlers and prevent them from detecting the redirection behavior.”
The development comes as threat actors are continuing to use infected WordPress sites as staging grounds to trick website visitors into running malicious PowerShell commands on their Windows computers under the guise of a Google reCAPTCHA or Cloudflare CAPTCHA verification – a prevalent tactic called ClickFix – and deliver the Lumma Stealer malware.
Hacked WordPress sites are also being used to deploy malicious JavaScript that can redirect visitors to unwanted third-party domains or act as a skimmer to siphon financial information entered on checkout pages.
It’s currently not known how the sites may have been breached, but the usual suspects are vulnerable plugins or themes, compromised admin credentials, and server misconfigurations.
According to a new report from Patchstack, threat actors have routinely exploited four different security vulnerabilities in WordPress plugins since the start of the year –
- CVE-2024-27956 (CVSS score: 9.9) – An unauthenticated arbitrary SQL execution vulnerability in WordPress Automatic Plugin – AI content generator and auto poster plugin
- CVE- 2024-25600 (CVSS score: 10.0) – An unauthenticated remote code execution vulnerability in Bricks theme
- CVE-2024-8353 (CVSS score: 10.0) – An unauthenticated PHP object injection to remote code execution vulnerability in GiveWP plugin
- CVE-2024-4345 (CVSS score: 10.0) – An unauthenticated arbitrary file upload vulnerability in Startklar Elementor Addons for WordPress
To mitigate the risks posed by these threats, it’s essential that WordPress site owners keep plugins and themes up to date, routinely audit code for the presence of malware, enforce strong passwords, and deploy a web application firewall to block malicious requests and prevent code injections.
