What are Mu-Plugins?

Published on July 2, 2024 | Updated on July 11, 2024

We usually install plugins from the wordpress.org repository via our WordPress dashboard or we upload them manually using the “upload plugin” button.

MU-Plugins“, or “Must Use” plugins are usually plugins you create yourself or created by other WordPress users and developers.

Mu-plugins are PHP files added to the mu-plugins folder inside the wp-content folder.

Once a PHP file placed in that exact location within your WordPress installation , the plugin will be automatically activated and will do what you programmed it to do.

This is an example of a Mu-Plugin to remove the version of WordPress, simple code usually used and implemented by security plugin


  *Plugin Name: WP Version Hider
  *Description: Hide the version of WordPress your site is using.
  *Version: 1.0
  *Author: TicoLibre


//remove WordPress version
function ticolibre_remove_version() {
return '';
add_filter('the_generator', 'ticolibre_remove_version');

These are the most common questions people have about mu-plugins

Mu-Plugins vs Plugins

Plugins in WordPress can be simple and extremely complex.

WooCommerce is an example of a complex plugin that you can avoid installing if you want to sell products on your WordPress site.

If you want to disable your XML-RPC, you can search the plugins repository and install “Disable XML-RPC-API“.

Lots of people happen to do that because that plugin is installed in 90 thousands sites.

If you don’t want to install one more plugin, you could easily disable XML-RPC by creating a PHP file with this content in it.


  Plugin Name: Disable XML-RPC
  Description: Disable XML-RPC 
  Version: 1.0
  Author: TicoLibre

add_filter('xmlrpc_enabled', '__return_false');

That’s the beauty of mu-plugin

Mu-Plugins vs Code Snippets

Mu-Plugins were usually code snippets managed by code snippets plugins.

I am not a fan of using additional plugins if I don’t have to.

Code snippets plugins also want you to buy a premium version for unlocking this and that feature so I rather use mu-plugins instead.

Mu-Plugins vs Function PHP File

Adding PHP to your function php file is a good choice but it makes everything everything complicated when you want to troubleshoot things.

Mu-plugins could be lots of individual files, so you can remove one and you don’t have to lose what the rest of plugins are doing.

Besides that, if you don’t use a child theme already, you would have to create one since the contents in the default one are overridden every time you update your theme.

How Do I Create Mu-Plugins?

You can install a file manager plugin for as long as you need to, create the mu-plugin folder and add your simple PHP files in it.

Nothing bad would happen if you install a file manager plugin for a couple of hours and remove it once you are done working with the mu-plugins folder

I am not a fan of using file manager plugins so I recommend using:

Filezilla and CyberDuck are SFTP clients that will make checking your WordPress installation from your Window, Mac or Linux computer.

I keep both programs installed but for my own websites, I use CyberDuck. It is a personal preference.

If you want to use one or both of them, you should create or get your credentials from your hosting provider.

How to Troubleshoot Issues with Mu-Plugins

Developing WordPress

If you break your site after activating a mu-plugin, you can remove the file and your site will be back as soon as you do that.

You can also rename the extension of the file and the plugin you just added will be deactivated.

Change it from this:


to something like this:


I usually break my personal sites when I add new mu-plugins or modify existing ones.

If an theme, plugin or core update breaks your site, you can install and activate the mu-manager plugin and deactivate mu-plugins like you would do with the regular plugins.

Can Mu-Plugins Introduce Security Issues?

One thing you could do is find code snippets from reputable websites and turn these into mu-plugins.

I wouldn’t use mu-plugins to create something related to forms since search, contact forms, login pages can be exploited if poorly coded.

If you use Cloudflare, create a firewall rule to protect the mu-plugins folder.

By the way, lots of plugins and themes are featured weekly in WordFence Security’s Newsletter, so I think that we can conclude that there is a risk when you create a mu-plugin and there is also a risk when you install stuff from the repository.

Manuel Campos

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.






© 2024 WP SURFER • Made with Love in Costa Rica