Exploiting WordPress mu-Plugins: A New Trend in Site Hijacking and Spam Injection

In recent months, a concerning trend has emerged where threat actors are targeting the “mu-plugins” directory in WordPress installations. This tactic allows hackers to hide malicious code that facilitates remote site access and redirects unsuspecting visitors to fraudulent websites.

Understanding mu-Plugins

Must-use plugins, or mu-plugins, are special plugins placed in the wp-content/mu-plugins directory. Unlike standard plugins, mu-plugins are activated by default, eliminating the need for site admins to enable them manually. This inherent feature makes the directory a prime location for malware deployment.

The Threat Landscape

According to Puja Srivastava from Sucuri, “This approach is dangerous because mu-plugins don’t appear in the standard WordPress plugin interface, making them easy to overlook during routine security checks.”

Identifying the Malicious Codes

Recent analyses have revealed three primary types of rogue PHP scripts found within this directory:

wp-content/mu-plugins/redirect.php – This script redirects visitors to external malicious websites.

wp-content/mu-plugins/index.php – This acts like a web shell, allowing hackers to execute arbitrary code via remote PHP scripts hosted elsewhere, like GitHub.

wp-content/mu-plugins/custom-js-loader.php – This script injects spam into the affected sites, potentially aimed at promoting scams and altering SEO characteristics, including replacing site images with explicit material.

Manipulative Techniques

The redirect.php file uses social engineering tactics by masquerading as a browser update, tricking users into installing malware that can exfiltrate sensitive data or deploy additional threats.

In response to these threats, Sucuri outlined a chilling scenario where compromised WordPress sites serve as platforms for executing disconnect scripts that interact closely with the end-users, masquerading as trusted validation methods like Google reCAPTCHA.

Malicious JavaScript Deployments

In addition to the PHP scripts, infected sites often utilize malicious JavaScript to redirect visitors or act as data skimmers, especially during sensitive transactions like online checkouts. The specifics of how these breaches occur are still unclear, but can be traced typically to vulnerabilities in themes or plugins, compromised admin accounts, or poor server configurations.

Common Vulnerabilities Exploited

A recent report from Patchstack disclosed the frequent exploitation of four significant security vulnerabilities in WordPress:

CVE-2024-27956 – SQL execution vulnerability in the WordPress Automatic Plugin.

CVE-2024-25600 – Remote code execution vulnerability in the Bricks theme.

CVE-2024-8353 – PHP object injection vulnerability in the GiveWP plugin.

CVE-2024-4345 – Arbitrary file upload vulnerability in Startklar Elementor Addons.

Mitigation Strategies

To safeguard against these risks, WordPress administrators should:

Regularly update plugins and themes.

Conduct audits for malware in mu-plugins.

Enforce strong authentication methods.

Implement a web application firewall (WAF) to filter out malicious requests.

Conclusion

As WordPress remains a primary target for threat actors, recognizing the tactics they employ is key to fortifying web security. By staying informed about vulnerabilities and deploying appropriate defenses, website owners can mitigate the risks of such attacks.

For enhancing your WordPress site’s security, consider our security services.