{"id":210247,"date":"2025-04-01T06:24:48","date_gmt":"2025-04-01T11:24:48","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/04\/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code"},"modified":"2025-04-01T06:24:48","modified_gmt":"2025-04-01T11:24:48","slug":"hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/04\/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code","title":{"rendered":"Hackers abuse WordPress MU-Plugins to hide malicious code"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code.jpg\"><\/a><\/p>\n<p>Hackers are utilizing the WordPress mu-plugins (\u201cMust-Use Plugins\u201d) directory to stealthily run malicious code on every page while evading detection.<\/p>\n<p>The technique was <a href=\"https:\/\/blog.sucuri.net\/2025\/02\/hidden-backdoors-uncovered-in-wordpress-malware-investigation.html\" target=\"_blank\" rel=\"nofollow noopener\">first observed<\/a> by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.<\/p>\n<p>\u201cThe fact that we\u2019ve seen so many infections inside mu-plugins suggests that attackers are actively targeting this directory as a persistent foothold,\u201d <a href=\"https:\/\/blog.sucuri.net\/2025\/03\/hidden-malware-strikes-again-mu-plugins-under-attack.html\" target=\"_blank\" rel=\"nofollow noopener\">explains Sucuri\u2019s security analyst Puja Srivastava<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers are utilizing the WordPress mu-plugins (\u201cMust-Use Plugins\u201d) directory to stealthily run malicious code on every page while evading detection. The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code. [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492],"tags":[],"class_list":["post-210247","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/210247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=210247"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/210247\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=210247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=210247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=210247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}