There have been an increasing number of cases of malware infection of the wordpress mu-plugins folder. This case study will be explained.

Malware infection of mu-plugins folder

The wp-content/mu-plugins folder is a folder that does not exist on a typical WordPress site, but allows the installation of forcibly activated plugins that must be run.

Therefore, if a hacker installs a malicious program in it, that program will be executed every time WordPress displays a page.

We are seeing more and more cases of malicious files being installed in this mu-plugins folder.

Example Malicious code like the image below will be installed

The code is obfuscated, and when un-obfuscated, it reveals itself to be PHP File Manager Freya, a file manager software used as a backdoor to edit or delete files on a single-file server.

How to deal with malware infection of mu-plugins folder

In many cases, it is not possible to identify the presence of a malicious program introduced in the mu-plugins folder from the WordPress administration screen.

After connecting to the server with FTP software, manually check if the wp-content/mu-plugins folder is not present, and if it is, visually check the code of the files in that folder.
If the file is obfuscated and is not a bread-like molded program, then there is a good chance that malware has been installed.

Also, please note that plug-ins that can comprehensively inspect and remove WordPress files can also detect and remove this type of malware, although not 100% of the time.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].