Avoid loading dot files in the mu-plugins directory.

[dcavins]

In some circumstances, metadata files are generated in the mu-plugins directory. For example, editing a plugin file my-mu-plugin.php folder using a Mac via SMB can result in a metadata file ._my-mu-plugin.php being created. Because of the way wp_get_mu_plugins() works, this metadata file will be loaded as a valid plugin and the contents of the file will be output in the page header.

I'm attaching a small patch to avoid loading ._ files in the unfortunate event that they are created.

[dcavins]

Avoid loading ._ files in mu-plugins.

[SergeyBiryukov]

Introduced in [10737].

[azouamauriac]

May be this is related to #41638

[huzaifaalmesbah]

I attempted to apply the attached patch (46982.1.diff) against current trunk (7.0-alpha), but it does not apply cleanly.

Patch results:

• src/wp-includes/load.php → hunk failed (.rej created)

Since the patch cannot be applied, testing is not possible at this time. Because of this, keeping needs-testing is not actionable until the patch is refreshed.

[dcavins]

Avoid loading ._ files in mu-plugins.

[dcavins]

@huzaifaalmesbah Thanks for your comment. I've refreshed the patch to match the current development trunk (46982.2.diff).

[huzaifaalmesbah]

Patch Testing Report

Patch Tested: 46982.2.diff​

Environment

• WordPress: 7.0-alpha-61215-src (trunk)
• PHP: 8.2.30
• Server: nginx/1.29.4
• Database: mysqli (Server: 9.5.0 / Client: mysqlnd 8.2.30)
• Browser: Chrome 144
• OS: macOS
• Theme: Twenty Nineteen 3.2
• MU Plugins:
  • ._dotfile-test.php (test file)
• Plugins:
  • Classic Editor 1.6.7
  • Test Reports 1.2.1

Steps taken

1. Created /wp-content/mu-plugins/ directory.
2. Added a dotfile plugin named ._dotfile-test.php with an admin notice (see snippet below).
3. Loaded wp-admin without the patch.
4. Observed the dotfile plugin was executed and displayed an error notice.
5. Applied 46982.2.diff.
6. Reloaded wp-admin.
7. Confirmed the dotfile plugin is no longer loaded or executed.
8. ✅ Patch is solving the problem

Expected result

• Files beginning with "._" should NOT be detected or loaded as MU plugins.
• Dotfiles must be ignored by wp_get_mu_plugins().
• No PHP execution or output from metadata/system files.

Screenshots/Screencast with results

Before Apply Patch	After Apply Patch ✅

Support Content

Test MU plugin used:

<?php
/**
 * This file SHOULD NEVER LOAD.
 * If you see this notice, WordPress is loading dotfiles (bug).
 */
add_action('admin_notices', function () {
    echo '<div class="notice notice-error"><p><strong>BUG:</strong> Dotfile MU plugin was loaded.</p></div>';
});

[dcavins]

Thank you for testing the patch!

[huzaifaalmesbah]

After applying 46982.2.diff​ to WordPress, ._* dotfiles are no longer executed as MU plugins, which fixes the issue.

However, ._* files still appear in the Must-Use Plugins list in the admin. Should these also be excluded from the list to avoid confusion, since they are not real plugins?