Introduction

A malicious redirect coming from an MU-plugin is dangerous because must-use plugins load automatically and are easy to overlook during cleanup. You can remove ordinary plugins and still keep sending visitors somewhere hostile because the redirect logic sits in a path WordPress executes on every request. The right recovery is to treat it as a persistence mechanism, not just a bad plugin file.

Symptoms

  • Visitors are redirected to spam, scam, or malware pages even after ordinary plugin cleanup
  • WordPress plugin lists look normal, but redirects continue on the frontend or admin login
  • The redirect reappears after replacing themes or reinstalling visible plugins
  • Security scans point to unusual code under wp-content/mu-plugins
  • The issue began after an infection, suspicious admin access, or compromised hosting credentials

Common Causes

  • Malware planted persistent redirect logic in the must-use plugins directory
  • Cleanup focused on regular plugins and themes but skipped automatically loaded MU-plugins
  • A restored backup reintroduced the malicious file after partial cleanup
  • Another compromise vector continues rewriting the MU-plugin file after removal
  • File integrity monitoring did not include the persistence paths WordPress always loads

Step-by-Step Fix

  1. Confirm the redirect still occurs with ordinary plugins disabled so you know the persistence path lies elsewhere.
  2. Inspect the wp-content/mu-plugins directory and related bootstrap paths for unexpected files or recent changes.
  3. Compare suspicious MU-plugin code against a known-clean backup or baseline instead of trusting file names alone.
  4. Remove or replace the malicious MU-plugin only after preserving enough evidence to understand the intrusion path.
  5. Check for companion persistence mechanisms such as cron jobs, writable admin accounts, or modified core files that could restore it.
  6. Rotate compromised credentials and review recent administrator activity so reinfection does not follow immediately.
  7. Re-scan the site after cleanup to confirm redirects stop and no secondary payload remains active.
  8. Retest both public routes and admin login because MU-plugin malware often targets more than one request path.
  9. Expand integrity monitoring to include MU-plugins and bootstrap files so future persistence is detected earlier.