Threat actors are exploiting WordPress sites by injecting malware into the ‘mu-plugins’ (must-use plugins) directory, which allows automatic loading of plugins without displaying them in the admin dashboard. This tactic enables attackers to maintain persistent access and control over compromised sites while evading detection. The malware often includes backdoors, data-stealing tools, spam injection mechanisms, or traffic redirection scripts. Security researchers have observed an increase in this technique and recommend that site administrators regularly audit their file systems and monitor for unauthorized changes to detect and mitigate such threats.
https://www.securityweek.com/threat-actors-deploy-wordpress-malware-in-mu-plugins-directory/