• Resolved cfoster

    (@cfoster)


    I don’t do a huge amount of WordPress development which is probably why I have never heard of the mu-plugins/ directory. I was called in to help someone rid their site of malware and the place the malware was hiding (amongst many other places, but the one that took the longest to find) was in WordPress’s secret code execution lair: mu-plugins.

    It showed some forethought on WordPress’s part to have people have to explicitly install AND activate plugins before new code will enter the application. That’s good. But then why why why can PHP files be dropped into mu-plugin and execute on every page load without a whisper about it anywhere?

    ANYWAY, it seemed to me like a great opportunity for AIOWPS to create a very simple dashboard widget informing users when there are files executing from this directory.

    • This topic was modified 5 months ago by cfoster.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @cfoster,

    WordPress mu-plugins are Must Use Plugins, From the Plugins list you can see those from the

    Plugins list.

    https://developer.www.ads-software.com/advanced-administration/plugins/mu-plugins/

    Below is the screenshot of the mu-plugins list in one of my live sites.

    https://snipboard.io/KgUxra.jpg

    Regards

    Thread Starter cfoster

    (@cfoster)

    Thanks for pointing out the link at the top of the Plugins page as I didn’t know about that either, but it still seems like bad UX to have the “All” category not include MU plugins, so having a dashboard widget prominently display them still seems like a good idea since they are an easy attack vector for Malware.

    This is more a suggestion for WordPress I suppose but: MUPlugins should really have to be manually activated just like regular plugins, even if their “must use” nature prevents them from being disabled.

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @cfoster,

    Ok, I will create an internal ticket for your suggestion and the issue you have.

    If you have File change detection on WP security > Scanner you may know what files are changed + uploaded. That way either it is inside mu-plugins or malware code getting added from any files of WordPress you may know.

    Regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.