Blog

Fake Plugins in WordPress: How to Detect and Remove Hidden Threats

May 20, 2026 No comments yet
Dashboard analytics on a computer screen showing bar and line charts with bounce rate and session metrics in a dark theme.

Plugins allow you to extend your website’s functionality without having to code. While convenient, they’re also one of the biggest security risks on WordPress. Hackers use fake plugins to infiltrate websites, steal data, create admin accounts, and inject spam.

All WordPress site owners need to know how to identify and control fake plugins.

How Hackers Install Fake Plugins

Hackers have several methods for getting fake plugins onto WordPress sites.

Supply-Chain Attacks

Attackers often compromise trusted plugins to spread malware and infiltrate sites. In August 2025, new owners purchased ‘EssentialPlugin’ in a six-figure deal closed on Flippa. Shortly after, the new owners added a backdoor to the plugin’s code.

Reports indicate that the hacker kept the code inactive for months before eventually pushing updates. Hidden spam messages and redirects to unwanted websites appeared on the affected sites.

Fake ‘Nulled’ Plugins

Attackers distribute nulled plugins as counterfeit software on forums and file-sharing sites. These often appear to be legitimate plugins, sharing the names and features of well-known WordPress plugins.

However, they’re completely counterfeit and feature backdoors in their code. Once installed, the hacker uses the backdoor to infiltrate the website.

Old and Outdated Plugins

Hackers often attack older plugins that developers have not updated in several years. These are easy targets because they have outdated software, compromised admin credentials, and security vulnerabilities that are easy to exploit.

If you’re new to WordPress, you may think that older plugins are more trustworthy. However, they likely no longer receive updates or security fixes, which makes them the perfect entry point for hackers.

Laptop screen shows a COVID-19 statistics dashboard with a world map marked by red outbreak points and a left sidebar listing country-by-country confirmed cases (e.g., 156,400).

The Warning Signs of a Fake Plugin

By spotting a fake plugin early, you can prevent data loss and the installation of malicious code.

Unknown Plugins on Your Dashboard

Unknown plugins are a sign that someone has gained control of your admin account. These plugins often come with believable names related to security, SEO, and performance. Names such as ‘SEO Booster Pro’, ‘WP Speed Fix’, or ‘Security Tool’ are often used.

The harmless names often deter site owners from investigating further — but you should investigate the plugins immediately.

Suspicious Author Names

All WordPress plugins have a listed author or developer attached. Fake plugins will list unknown author names. Hackers sometimes use the names of well-known authors, but will change the spelling slightly to appear legitimate.

In addition to the author name, look out for suspicious company details. Incomplete company details and suspicious email addresses often suggest that the plugin is fake.

If you’re unsure, see if you can verify the author’s name through the WordPress Plugin Directory. Or check whether the developer features the name on their official website.

Unusual Outbound Links

One reason why hackers create fake plugins is to insert spammy links on websites. These links often lead to unrelated websites, fake online stores, gambling sites, and low-quality SEO-spam sites.

The purpose is normally financial. Attackers may also use these links to boost the search engine rankings of the linked webpages. The links most commonly appear in old blog posts because these have the most established search engine value. Site owners also review these pages least often.

How to Remove Fake Plugins: A Step-By-Step Guide

Person with long dark hair and visible tattoos, wearing headphones, using a laptop on their lap in a cozy living room.

If you suspect a fake plugin, you must audit, quarantine, and remove the threat.

Step 1: Put the Site Into Maintenance Mode

Maintenance mode restricts public access, safeguarding your site visitors from potential malware.

Step 2: Audit Installed Plugins

Go through every plugin installed and remove anything you don’t recognise.

Pay particular attention to recently updated plugins.

Cross-reference plugin names, authors, and update histories with the information available on the WordPress Plugin Directory.

If names, authors, or update histories do not correspond with information available on the Directory, delete the plugin.

Step 3: Check User Accounts and Permissions

Go to ‘Users’ > ‘All Users’ and remove any unknown admins. You can often find hackers by examining any recently created accounts.

Also, check that no one has changed roles, such as ‘Admin’ and ‘Editor’.

Once you’ve reviewed all accounts, immediately change account passwords.

Always update credentials from a secure network. If you have to complete this step using a public network, keep your connection encrypted and download a VPN app. A VPN (Virtual Private Network) helps prevent attackers from intercepting your login credentials.

Step 4: Scan for Malware

Use a legitimate WordPress security plugin to scan your site for malware.

Step 5: Look for Injected Content

Check your database for unusual links on pages, suspicious scripts, and unknown scheduled tasks. Remove these as necessary.

Strengthening Your WordPress Security Going Forward

Improving the security of your site can prevent this from happening again in the future. An alarming number of WordPress sites have vulnerabilities. A recent study conducted by Patchstack found 11,334 new vulnerabilities in 2025 alone.

Regularly changing all passwords, enabling multi-factor authentication, and limiting admin access reduce the likelihood of site compromise.

Additionally, you should regularly audit your site plugins and look for anything unfamiliar, outdated, or no longer maintained.