Hackers are utilizing the WordPress mu-plugins (“Must-Use Plugins”) directory to stealthily run malicious code on every page while evading detection.

The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.

“The fact that we’ve seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold,” explains Sucuri’s security analyst Puja Srivastava.