We Analyzed 20 Most Common Fake WordPress Plugins. Here's What They Do
2 days ago
- #Fake Plugins
- #Malware Analysis
- #WordPress Security
- Analysis of 20 prevalent fake WordPress plugins reveals all are malicious with no legitimate functionality, classified into 10 distinct malware families based on code structure and behavior.
- The most dangerous family (Hidden Admin Toolkit) creates hidden admin accounts, systematically deletes security plugins, and uses a master key for credential derivation across infected sites.
- Other families include SEO redirect with user data exfiltration, traffic distribution systems, SEO spam injection, remote code execution backdoors, trojanized legitimate plugins, and various obfuscation techniques.
- Nearly universal behavior: 19 of 20 samples hide themselves from WordPress plugin lists, with advanced variants using CSS injection or filter hooks for stealth.
- Security plugin deletion occurs via direct filesystem calls (unlink/rmdir) that bypass WordPress hooks, targeting over 14 security tools including Wordfence, iThemes Security, and activity loggers.
- Malware exhibits anti-competitive behavior: removes competing backdoors, scans for suspicious accounts, cleans webshells, and uses multi-layer persistence strategies.
- Advanced persistence techniques include mu-plugins droppers, backup restoration from wp-content/upgrade/, and self-reactivation on deactivation.
- Detection methods include filesystem checks for unrecognized plugins, database queries for hidden administrator accounts, and frontend inspection for injected JavaScript signatures.
- Fake plugins exploit WordPress's trust model where all activated plugins are treated as trusted code without sandboxing or permission restrictions.
- Multilayer defense strategies are recommended as application-level security plugins can be deleted by malware operating at lower system levels.