When we usually install WordPress plugins, we either do it directly from the dashboard or by clicking “Add Plugin” and uploading a file.
Now, there’s another kind called MU-Plugins, or “Must Use” plugins. These aren’t found in the standard directory; they’re custom pieces of code that you or another developer has specifically built for your site.
Mu-plugins are PHP files added to the mu-plugins folder inside the wp-content folder.
Once a PHP file placed in that exact location within your WordPress installation, that plugin or plugins will be automatically activated and will do what you programmed it to do.
This is an example of a Mu-Plugin to remove the version of WordPress, simple code usually used and implemented by security plugins.
<?php
/*
*Plugin Name: WP Version Hider
*Description: Hide the version of WordPress your site is using.
*Version: 1.0
*Author: TicoLibre
*/
//remove WordPress version
function ticolibre_remove_version() {
return '';
}
add_filter('the_generator', 'ticolibre_remove_version');These are the most common questions people have about mu-plugins
Table of Contents
Mu-Plugins vs Plugins
Plugins in WordPress can be simple and extremely complex.
WooCommerce is an example of a complex plugin that you can’t avoid installing if you want to sell products on your WordPress site.
If you want to disable your XML-RPC, you can search the plugins repository and install “Disable XML-RPC-API“.
Lots of people happen to do that because that plugin has more than 100,000+ active installs.
If you don’t want to install one more plugin, you could easily disable XML-RPC by creating a PHP file with this content in it and place in your mu-plugins folder.
<?php
/*
Plugin Name: Disable XML-RPC
Description: Disable XML-RPC
Version: 1.0
Author: TicoLibre
*/
add_filter('xmlrpc_enabled', '__return_false');That’s the beauty of mu-plugin
Mu-Plugins vs Code Snippets
Mu-Plugins can be code snippets and managed by code snippets plugins such as Code Snippets or Fluent Snippets.
I am not a fan of installing and using additional plugins if I can avoid it.
Also keep in mind that code snippets plugins also want you to buy a premium version for unlocking this and that feature.
Mu-Plugins vs Function PHP File
Adding PHP to your function php file is a good choice but it makes everything everything complicated when you want to troubleshoot things.
Mu-plugins could be lots of individual files, so you can remove one and you don’t have to lose what the rest of plugins are doing.
Besides that, if you don’t use a child theme already, you would have to create one since the contents in the default one are overridden every time you update your theme.
How Do I Create Mu-Plugins?
You can install a file manager plugin for as long as you need to, create the mu-plugin folder and add your simple PHP files in it.
Nothing bad would happen if you install a file manager plugin for a couple of hours and remove it once you are done making changes to the mu-plugins folder.
I am not a fan of using file manager plugins so I recommend using:
FileZilla and CyberDuck are SFTP clients that let you easily look inside your WordPress installation right from your computer—no matter if you’re on Windows, Mac, or Linux
I keep both programs installed but for my own websites, I use CyberDuck. It is a personal preference.
Local WordPress users don’t need an SFTP client or file manager plugins because all the website files are directly accessible through the local file system
How to Troubleshoot Issues with Mu-Plugins
If you break your site after activating a mu-plugin, you can remove the file and your site will be back as soon as you do that.
You can also rename the extension of the file and the plugin you just added will be deactivated.
Change it from this:
disable_xmlrpc.phpto something like this:
disable_xmlrpc.phpmI usually break my personal sites when I add new mu-plugins or modify existing ones.
If a theme, plugin or core update breaks your site, you can install and activate the mu-manager plugin and deactivate mu-plugins like you would do with the regular plugins.
Can Mu-Plugins Introduce Security Issues?
One thing you could do is find code snippets from reputable websites and turn these into mu-plugins.
I wouldn’t use mu-plugins to create something related to forms since search, contact forms, login pages can be exploited if poorly coded.
If you use Cloudflare, create a firewall rule to protect the mu-plugins folder.
By the way, lots of plugins and themes are featured weekly in WordFence Security’s Newsletter, so I think that we can conclude that there is a risk when you create a mu-plugin and there is also a risk when you install stuff from the repository.
Folders within the Mu-Plugins Folder
Any PHP file placed directly inside /wp-content/mu-plugins/ is automatically loaded by WordPress without needing activation.
If you create a folder inside mu-plugins, WordPress will ignore the files inside it unless you manually load them.
This script automatically loads every PHP file inside every subfolder of the mu-plugins directory.
So instead of placing single PHP files directly in mu-plugins/, you can organize them into folders and the loader will include them all.
<?php
/*
Plugin Name: Mu-Plugins Loader
Description: Automatically loads every PHP file inside every subfolder of the mu-plugins directory
Status Required: Fully Working
Status Detail: No Special Actions Needed
Version: 1.0
Author: TicoLibre
*/
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
// Single glob call to get all subdirectories
$plugin_folders = glob(__DIR__ . '/*/', GLOB_ONLYDIR);
// Loop through each folder
foreach ($plugin_folders as $plugin_folder) {
// Check if folder is readable
if (is_readable($plugin_folder) && $handle = opendir($plugin_folder)) {
// Loop through PHP files in the folder
while (false !== ($entry = readdir($handle))) {
if (substr($entry, -4) === '.php') {
include_once $plugin_folder . $entry;
}
}
closedir($handle);
}
}
