“Threat actors are using the “mu-plugins” directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites.mu-plugins, short for must-use plugins, refers to plugins in a special directory (“wp-content/mu-plugins”) that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware.”
This is actually a major problem because just about every WordPress site has this directory by default. It can just be deleted in many cases, but right now it is probably just sitting there waiting to be exploited.
As the majority of websites on the Internet do use WordPress, this is a concern right now. So if you are a WordPress admin, you want to read the linked article and do the checks. If you don’t use that directory, then it is probably safer to just delete it.
Just keeping your installed plugins and themes up to date won’t mitigate this risk, but updating is always a best practice, and WordPress lets you enable auto-update for plugins.
See https://thehackernews.com/2025/03/hackers-exploit-wordpress-mu-plugins-to.html