Article Details

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images. Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware. "This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Sucuri researcher Puja Srivastava said in an analysis. In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory - The "redirect.php," Sucuri said, masquerades as a web browser update to deceive victims into installing malware that can steal data or drop additional payloads. "The script includes a function that identifies whether the current visitor is a bot," Srivastava explained. "This allows the script to exclude search engine crawlers and prevent them from detecting the redirection behavior." The development comes as threat actors are continuing to use infected WordPress sites as staging grounds to trick website visitors into running malicious PowerShell commands on their Windows computers under the guise of a Google reCAPTCHA or Cloudflare CAPTCHA verification – a prevalent tactic called ClickFix – and deliver the Lumma Stealer malware. Hacked WordPress sites are also being used to deploy malicious JavaScript that can redirect visitors to unwanted third-party domains or act as a skimmer to siphon financial information entered on checkout pages. It's currently not known how the sites may have been breached, but the usual suspects are vulnerable plugins or themes, compromised admin credentials, and server misconfigurations. According to a new report from Patchstack, threat actors have routinely exploited four different security vulnerabilities since the start of the year - To mitigate the risks posed by these threats, it's essential that WordPress site owners keep plugins and themes up to date, routinely audit code for the presence of malware, enforce strong passwords, and deploy a web application firewall to malicious requests and prevent code injections.