WordPress glossary

mu-plugin Malware

Malicious code dropped into wp-content/mu-plugins/ so WordPress auto-loads it on every request without showing it in the plugins screen.

Last updated 27 June 2026 · Reviewed by Ali Yasin Jatoi

Must-use plugins (mu-plugins) load before everything else and never appear in the standard Plugins UI. Attackers exploit this to keep a persistence loader (admin user re-creator, redirect injector, C2 beacon) running invisibly. Cleanup means auditing every file in wp-content/mu-plugins/ against a known-good list and removing anything you did not install yourself.

Where this applies on our service

mu-plugin malware persistence

Related terms

When this comes up in the wild

Need this fixed, not just defined?

We have shipped hundreds of fixes for exactly this kind of issue. Book a 20 minute call and we will tell you straight whether it is a quick fix or a bigger root cause.

Book a 20 minute call +92 346 600 8404

wp-adminerlzp Hidden Admin User Trojanized Core File

Call Book a call