DisableMU released

disableMUYesterday, my first plugin was approved and released within the plugin repository on wordpress.org. Woohoo!


Most of the relevant information can be found on the repository page or on the DisableMU page here on the site. Long story short, I wanted a way to protect my sites from malicious code being uploaded to the /wp-content/mu-plugins directory in the event of a server compromise or malicious plugin code executing.

The way the plugin works is by tricking WordPress into not being able to find the intended path to the mu-plugins folder. This can (and is) accomplished by defining three Constants inside of wp-config.php

if ( !defined('WPMU_PLUGIN_DIR') ) 
    define( 'WPMU_PLUGIN_DIR', ABSPATH . 'wp-content/plugins/mu-12345678901234567890' ); 

if ( !defined('WPMU_PLUGIN_URL') ) 
    define( 'WPMU_PLUGIN_URL', get_option('siteurl') . '/wp-content/mu-12345678901234567890' );

if ( !defined( 'MUPLUGINDIR' ) ) 
    define( 'MUPLUGINDIR', 'wp-content/mu-12345678901234567890' );

The only difference is, using DisableMU removes the need for you to touch your own wp-config.php file and that the final directory path is randomly generated each time the plugin is activated. This means that no two installations are running the same “renamed” directory.

Hopefully it helps you, and let me know if you have any feedback!

Leave a Reply