In February 2025, Sucuri researchers discovered that hackers are exploiting the mu-plugins directory in WordPress to inject malicious code, maintain remote access, and redirect visitors to fraudulent websites.

Mu-plugins, or must-use plugins, are executed automatically by WordPress and stored in the 'wp-content/mu-plugins/' directory, making them less visible during routine security checks.

Puja Srivastava, a security analyst at Sucuri, noted that the prevalence of infections in mu-plugins indicates that attackers are specifically targeting this directory for a persistent foothold.

Injected web shells pose significant risks as they allow attackers to remotely execute commands and steal data from the server.

These findings underscore the urgent need for proactive security measures on WordPress sites to prevent severe security breaches.

The report emphasizes the necessity for regular security monitoring, file integrity checks, and the implementation of web application firewalls (WAFs) to mitigate such infections.

Site owners are advised to keep their plugins and themes up to date, audit for malware, use strong passwords, and implement web application firewalls to protect against these threats.

A report from Patchstack identifies four critical vulnerabilities exploited by hackers in 2025, including unauthenticated remote code execution and SQL execution vulnerabilities in various WordPress plugins and themes.

Three specific variants of the malicious code have been identified: redirect.php, which redirects visitors to malicious sites; index.php, which allows remote code execution; and custom-js-loader.php, which replaces site images with explicit content.

Malicious files can damage a site's reputation and SEO due to harmful redirections and malware installation attempts, highlighting the importance of vigilance in maintaining site security.

The index.php file functions as a Remote Code Execution Webshell, enabling attackers to fetch and execute remote scripts, thereby ensuring persistent control over the compromised site.

These infections aim for monetization and persistence, benefiting attackers financially while keeping their malicious payloads concealed.