<ul><li>Threat actors are hiding WordPress malware in the mu-plugins directory to evade detection and maintain persistence.</li><li>Unlike regular plugins, mu-plugins automatically load on every page load, making them an ideal location for backdoors.</li><li>Attackers are using obfuscated PHP to execute hidden payloads from the mu-plugins directory, enabling them to manipulate website behavior.</li><li>The malware found in the mu-plugins directory includes fake update redirects, webshells, and JavaScript injectors for various malicious purposes.</li></ul>

Hiding WordPress malware in the mu-plugins directory to avoid detection

Discover more