At CyberStreams, we help small businesses—law firms, universities, non-profits, and manufacturers—stay secure in a digital world where threats are constantly evolving. One of the most popular website platforms, WordPress, powers 43.5% of all websites—over 521 million sites globally. With this level of market share, its security should be a top priority for every business.

But a well-intentioned WordPress feature introduced in 2022, called “Must-Use Plugins,” has become a dangerous security loophole—and cybercriminals have taken notice.

What Are Must-Use Plugins?

Must-Use (MU) Plugins were designed to simplify plugin management for hosting providers by auto-enabling certain plugins without requiring manual activation in the WordPress admin dashboard. Placed in a special directory (wp-content/mu-plugins), these plugins load automatically and cannot be disabled through the standard WordPress interface—they must be manually deleted from the server.

Unfortunately, this convenience has turned into a serious liability.

How Hackers Are Exploiting the Feature

Since early 2025, GoDaddy’s Sucuri security team has seen a sharp increase in attacks targeting the mu-plugins directory. Hackers are breaking into vulnerable WordPress sites and dropping malicious files—like backdoors, web shells, and SEO spam—directly into this folder. These files then execute silently in the background, redirecting traffic, stealing data, or hijacking SEO without the site owner’s knowledge.

The problem? Many security tools don’t scan this directory by default, making it the perfect hiding spot.

A 2024 Patchstack report revealed that 97% of WordPress vulnerabilities stem from plugins. The design of Must-Use Plugins doesn’t just contribute to that number—it multiplies the risk by providing attackers with a backdoor built into WordPress’s architecture.

Real Risks for Real Businesses

This isn’t a theoretical threat. For example:

• A law firm could suffer a breach exposing confidential client data.

• A manufacturer’s website could be used to spread SEO spam, hurting brand credibility and search rankings.

• A nonprofit might unknowingly redirect visitors to phishing or scam pages.

CyberStreams has seen firsthand how overlooked features like this become high-value targets for attackers. MU Plugins may have been built for efficiency, but in the wrong hands, they become tools of exploitation.

What You Can Do: 3 Key Steps

To protect your site, take these immediate actions:

1. Inspect Your mu-plugins Folder
Navigate to wp-content/mu-plugins and check for suspicious files. If you're not using this feature, delete the folder entirely or restrict access using .htaccess rules to prevent unauthorized uploads.

2. Enhance Malware Scanning
Ensure your security tools are configured to scan all directories—including the mu-plugins folder. If your scanner doesn’t support this, consider switching to one that does.

3. Use a Web Application Firewall (WAF)
A WAF helps block malicious uploads before they reach your site. CyberStreams can assist in configuring one tailored to your specific needs.

Conclusion: Don’t Let a Hidden Folder Take Down Your Site

The Must-Use Plugins feature is a classic case of good intentions gone wrong. While it offers convenience, its current implementation opens the door to serious cybersecurity threats. With WordPress powering nearly half the internet, this isn’t a rare edge-case—it’s a growing, widespread risk.

At CyberStreams, we believe every business deserves peace of mind when it comes to website security. Don’t let hidden vulnerabilities undermine your operations. Check your mu-plugins folder today—and let us help you keep the bad actors out.