A new security issue is putting WordPress-powered websites at risk. Hackers are abusing the “Must-Use” plugins (MU-plugins) feature to hide malicious code and maintain long-term access on hacked websites.
In earlier 2025, security researchers at Sucuri noticed cybercriminals using the tactic, and they say that it has been increasingly used the technique in the months since.
In WordPress, MU-plugins are plugins that are automatically enabled on a WordPress-powered site and – as the description
