What Are Fake Plugins?
Fake plugins are malicious WordPress plugins that pretend to be legitimate but are actually designed to:
- Provide persistent access to the attacker
- Bypass cleanup attempts
- Execute arbitrary PHP code or remote commands
They often:
- Mimic real plugins (e.g., hello-dolly2, seo-optimize, wp-optimizer)
- Have no settings panel or visible UI
- Remain hidden from most plugin dashboards
Once installed, they silently give hackers full access to your site—even if you clean other malware infections.
Why Are Fake Plugins So Dangerous?
| Risk | Description |
| 🧱 Persistence | Survive even after malware removal or core resets |
| 🕵️♂️ Stealth | Often hidden or disguised as system plugins |
| 🧬 Execution | Can upload files, run PHP code, or create fake admin users |
| 🪤 Remote Control | Communicate with external C2 (Command & Control) servers |
| 🔁 Reinfection | Automatically reintroduce malware payloads or SEO spam |
Hackers love fake plugins because they blend in and stay unnoticed—especially on larger, plugin-heavy sites.
How Do Fake Plugins Get Installed?
| Entry Vector | Description |
| ❌ Nulled themes/plugins | Common carriers of fake plugins |
| ⚙️ Insecure plugin update process | Compromised servers or fake plugin updates |
| 🤫 Post-hack payload | Dropped after another malware exploit as a backup |
| 🧑💻 Fake admin accounts | Attackers manually install plugins after login access |
They often don’t display in your Plugins dashboard unless you check all directories manually.
Signs of a Fake Plugin in Your WordPress Site
- Plugins folder contains unfamiliar plugin names (e.g., wp-system, hello-admin, wp-login2)
- Plugin files with random hashes or gibberish names (wp-abc123.php)
- Plugin contains only one .php file, often obfuscated
- Plugin has no description or author in the WordPress dashboard
- You clean the site but it keeps getting reinfected
Where to Look for Fake Plugins
Fake plugins usually live in:
- /wp-content/plugins/
- /wp-content/mu-plugins/ (must-use plugins)
- Occasionally in /wp-content/uploads/ (disguised plugin folders)
Step-by-Step: How to Detect and Remove Fake Plugin Malware
🧪 Step 1 – List and Audit All Plugins
Use WP-CLI:
wp plugin list
Look for suspicious or unfamiliar names.
Or check manually via FTP/SFTP:
- Cross-reference each folder in /wp-content/plugins/ with official plugins on WordPress.org/plugins
🔎 Step 2 – Review the Plugin Code
Look inside suspicious plugin files for:
base64_decode
eval(
file_get_contents (with remote URLs)
shell_exec
gzinflate
create_function
Also, check for:
- Obfuscated code or extremely long strings
- External IPs or hidden domains (e.g., api.example.cn)
- Dynamic eval() functions that execute user input
🧹 Step 3 – Delete Fake Plugin Completely
- Deactivate the plugin
- Delete the folder from /wp-content/plugins/
- Check /mu-plugins/ and /uploads/ for similar structures
- Remove related cron jobs or autoloaded options
💾 Step 4 – Clean and Restore Critical Files
Malware in fake plugins may have spread to:
- functions.php
- wp-config.php
- .htaccess
- Random PHP files in /uploads/
You may need to:
- Replace core files with clean copies
- Search for base64, eval, or include calls referencing plugin paths
🧠 Step 5 – Reset Security Credentials
- Change all WordPress admin passwords
- Remove any unfamiliar users
- Update database, FTP, and cPanel credentials
How to Prevent Fake Plugin Malware in the Future
| Step | Tool or Action |
| 🔐 Use Only Trusted Plugins | Only install from WordPress.org or trusted vendors |
| 📦 Avoid Nulled Content | It’s the #1 source of fake plugins |
| 🔄 Enable Auto-updates | Keep everything current to avoid exploit-based payloads |
| 🧰 Install a Security Plugin | Wordfence, iThemes, MalCare for real-time monitoring |
| 🧑💻 Audit Admins Monthly | Don’t leave unused admin accounts active |
| 🚫 Disable Plugin Installation for Users | Use define rules in wp-config.php |
Recommended Tools for Detection
| Tool | Use |
| Wordfence | Detects known fake plugin signatures |
| MalCare | One-click removal of plugin malware |
| WP-CLI | Command-line visibility of all plugins |
| Sucuri | External scanner + alerting |
| Patchstack | Plugin vulnerability monitoring |
Final Thoughts: A Fake Plugin Is a Hidden Hacker Backdoor
If your site keeps getting hacked even after cleaning, chances are a fake plugin is quietly giving hackers a way back in. These are designed to look legit, bypass detection, and reinfect your site anytime.
👉 Detection is not always easy — but with the right tools and a methodical audit, you can root them out for good.
📣 CTA – Suspect a Fake Plugin? Let Us Audit Your Site
We specialize in identifying and removing deeply embedded malware, including stealthy fake plugins.
🚀 [Request a Free WordPress Malware Scan ➜]
