There have been an increasing number of cases of malware infection of the wordpress mu-plugins folder. This case study will be explained.

Malware infection of mu-plugins folder

The wp-content/mu-plugins folder is a folder that does not exist on a typical WordPress site, but allows the installation of forcibly activated plugins that must be run.

Therefore, if a hacker installs a malicious program in it, that program will be executed every time WordPress displays a page.

We are seeing more and more cases of malicious files being installed in this mu-plugins folder.

Example Malicious code like the image below will be installed

The code is obfuscated, and when un-obfuscated, it reveals itself to be PHP File Manager Freya, a file manager software used as a backdoor to edit or delete files on a single-file server.

How to deal with malware infection of mu-plugins folder

In many cases, it is not possible to identify the presence of a malicious program introduced in the mu-plugins folder from the WordPress administration screen.

After connecting to the server with FTP software, manually check if the wp-content/mu-plugins folder is not present, and if it is, visually check the code of the files in that folder.
If the file is obfuscated and is not a bread-like molded program, then there is a good chance that malware has been installed.

Also, please note that plug-ins that can comprehensively inspect and remove WordPress files can also detect and remove this type of malware, although not 100% of the time.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.