What is Malicious WordPress Plugins ?

WordPress Plugins are composed of PHP scripts that extend the functionality of WordPress. They offer new additions to your blog that either enhance features that were already available or add otherwise unavailable new features to your site.

The majority of WordPress users don’t require Plugins, or only require a few, such as Plugins dealing with comment spam or customized post listings. Other users enjoy the varied options Plugins provide such as frequently updated weather reports, post word counts, rating systems, and more. WordPress Plugins are optional, based upon the needs of the user, and thus they are not incorporated into the core of WordPress.

Plugins let you add and customize WordPress’ features. WordPress keeps a repository of them available on their website here. However, you can also install plugins not on that list (i.e. not approved by WordPress). If you decide to, though, we urge you to be cautious — unofficial plugins are often maliciously designed and will harm your website and its visitors.

Malicious plugins can also affect your site if an attacker compromises your account. These plugins will grant the attacker access to your site, which they can use to upload malicious files or tamper with your site’s existing content.

Signs You’ve Been Compromised

Malicious plugins can be found by reviewing the list of installed plugins in the WordPress admin screen (more info).

When reviewing the list, look for anything that you did not install or did not come installed with WordPress. You may also need to use the WordPress Plugin Directory (more info) or your favorite search engine for help determining if a plugin is legitimate.

In addition to reviewing the installed plugins in the admin screen, you should also check the /wp-content/plugins/ directory within the site’s file structure. You can do this via FTP (more info) or through your hosting account’s control panel (more info).


You must remove all of the malicious plugin directories (more info).  If the malicious plugins are not listed in the plugins screen, remove the malicious plugin directory via FTP  or through your hosting account’s control panel . Before deleting anything, we recommend making a backup of your website.

You should also:

  • Change your WordPress admin password (more info).
  • Update all of your plugins to the latest version (more info).
  • Review all content to ensure that it does not contain any malicious content, or preferably restore to a date previous to the compromise.