There have been an increasing number of cases of malware infection of the wordpress mu-plugins folder. This case study will be explained.

Malware infection of mu-plugins folder

The wp-content/mu-plugins folder is a folder that does not exist on a typical WordPress site, but allows the installation of forcibly activated plugins that must be run.

Therefore, if a hacker installs a malicious program in it, that program will be executed every time WordPress displays a page.

We are seeing more and more cases of malicious files being installed in this mu-plugins folder.

Example Malicious code like the image below will be installed

The code is obfuscated, and when un-obfuscated, it reveals itself to be PHP File Manager Freya, a file manager software used as a backdoor to edit or delete files on a single-file server.

How to deal with malware infection of mu-plugins folder

In many cases, it is not possible to identify the presence of a malicious program introduced in the mu-plugins folder from the WordPress administration screen.

After connecting to the server with FTP software, manually check if the wp-content/mu-plugins folder is not present, and if it is, visually check the code of the files in that folder.
If the file is obfuscated and is not a bread-like molded program, then there is a good chance that malware has been installed.

Also, please note that plug-ins that can comprehensively inspect and remove WordPress files can also detect and remove this type of malware, although not 100% of the time.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Related Posts:

  1. What are the strongest permissions to prevent malware infection in WordPress?
    We will introduce the strongest file write permissions (permissions) to prevent malware infection in cases such as repeated malware infections in WordPress....
  2. Spread of malware infection to WordPress sites due to neglect of old Movable Type
    Malware infection is not only a WordPress problem, but is common to all CMS. (WordPress stands out because of its overwhelming popularity, but…) There are an increasing number of cases where old Movable Type is left unattended on a server and malware infection spreads to WordPress sites from there....
  3. Reasons for repeated hacker defacement and malware infection on WordPress sites
    Once a WordPress site has been defaced by hackers, embedded malware, or infected with a virus, the site may be repeatedly defaced even after you think you have removed the malware. We will explain how to deal with such cases....
  4. Malware wp-blog-header.php, wp-cron.php, .htaccess proliferating outside of the public folder on the server in WordPress
    If you find multiple wp-blog-header.php, wp-cron.php, and .htaccess files outside of the public folder on your server in WordPress, be careful. These files are most likely malware that propagates automatically....
  5. Example of malware spreading to initial subdomain folders of a server
    Many of today’s malware spread infection to all folders beyond the domain folders in the server. In this article, we will discuss the infection of initial subdomain folders on unused servers, which is often overlooked....
  6. Can WordPress malware infect database data?
    We will explain how an infection (tampering) with the WordPress database can cause the files on the site (server) to be tampered with....