Fake WordPress Plugins: What You Need to Know

There are a lot of time-saving apps, CSS frameworks, and JavaScript libraries you can use as a WordPress developer to simplify your workflows. But plugins? Especially ones found in the WordPress repository or from your WPMU DEV membership? Talk about convenience and instant satisfaction.

Plugins are definitely one of the pluses of building websites using WordPress. However, plugins can seriously compromise your site’s security if you’re not careful.

With 54% of detected vulnerabilities attributed to plugins, it’s no secret they’re the leading cause of WordPress security breaches. Of course, that can usually be boiled down to user error (i.e. a plugin wasn’t updated when it should have been). But sometimes these plugin security issues don’t have anything to do with that type of user error. Instead, they arise from other users; specifically, hackers who knowingly inject their own plugins with malicious code.

Yep, that’s right: there are fake WordPress plugins built with the explicit purpose of infecting websites. As you’ll soon see, these infections aren’t always easy to spot right away either. Let’s take a look at why hackers use WordPress plugins to crack their way into your website, how they do it, and what you can do to prevent it.

Fake WordPress Plugins That Tricked Everyone

Alright, so you know how to lock a WordPress site down pretty well. The admin area needs attention as does the root directory of your site. Any direct contact visitors make with your site needs to be fortified as does your web host’s servers. Basically, every angle needs to be covered.

But what do you do when the hack comes from inside your website?

Fake WordPress Plugins - Inside the House
Terrible movie. Great line.

Hackers who go to the trouble of building a fake WordPress plugin know what they’re doing. Many of the fake plugins that have actually harmed users’ websites passed through undetected because the code–at first glance anyway–appeared legit. There are also, scarily enough, fake plugins that didn’t start out that way.

If you’ve never encountered a fake WordPress plugin before, let me introduce you to a number of well-known cases:

Pingatorpin Plugin

Pingatorpin was a plugin in 2013 that wasn’t immediately identified as what it truly was. Sucuri had stumbled across a rather large number of websites containing malware, all sharing a similar set of files. It wasn’t until they started digging deeper that they realized the Pingatorpin plugin was the source of the spam running rampant on these sites.

SI CAPTCHA Anti-Spam Plugin

Wanna see something tricky? Then get a load of the SI CAPTCHA plugin, which, up until the summer of 2017, was actually a valid CAPTCHA plugin. In June, the plugin was purchased by another party and changed ownership. That’s when the problems began.

The new owner added code into the plugin that would allow a separate server of his to inject payday loan ads into users’ blog posts. It wasn’t the only plugin this hacker used either as eight other WordPress plugins were used as a means for gaining backdoor access to websites in order to run spam there.

There are crafty hackers like these who will purchase well-known plugins from developers and then issue updates with a vulnerability inside them that grants them access to users’ sites. They know that WordPress developers and other users who are hypervigilant about security are likely reluctant to use a little-known plugin from the repository, so this super devious move is actually really smart when you think about it.

WP-Base-SEO Plugin

Nearly 4,000 WordPress websites were breached in April of 2017 when the WP-Base-SEO plugin was installed. The hacker behind this one didn’t build the plugin from the ground up nor did they purchase an already known plugin in order to gain users’ trust. Instead, they copied code from another SEO plugin in order to pass this one off as a legitimate plugin, which is probably how it escaped the attention of online scanners.

Of course, that wasn’t the case as people soon realized something was amiss. Upon inspection, they soon identified a number of suspicious files along with a base64 encoded PHP request that led to the infection.

X-WP-SPAM-SHIELD-PRO

The most recent case of a fake WordPress plugin is a truly horrifying one. Enter: X-WP-SPAM-SHIELD-PRO. For all intents and purposes, this appeared to be a well-coded security plugin for WordPress. It even had folder structures resembling that of a normal and safe plugin. But once Sucuri got their hands on it–as well as some sites infected by it–they noticed major issues with the code.

Here’s just a taste of what this one went after:

  • The current WordPress version.
  • A list of all plugins installed on the website.
  • A list of the site’s admin users.
  • The name of logged-in users, their passwords, as well as IP addresses, among other sensitive details.

Once it had all that information, it had the power to:

  • Add a new admin user, giving himself/herself the ability to roam freely around the site.
  • Deactivate any plugin used on the site, including security plugins.
  • Upload any file to the site.
  • Receive a notification whenever someone installed the plugin, so they would know the moment they had full access to tear it down.

Scary stuff.

So, let’s take a look at what you can do to prevent your WordPress sites from fake plugins.

9 WordPress Plugin Best Practices to Keep Hackers At Bay

Now that you know what hackers are looking to do with fake plugins, it’s your job to make sure you don’t fall into their traps. Here are 9 WordPress plugin best practices you should adhere to going forward:

1. Review the Plugin for Overall Quality Control
If you find a WordPress plugin you want to use and it’s located in the WordPress repository or another trusted source for WordPress plugins (like CodeCanyon) , review it extensively.

Fake WordPress Plugins - Plugin Review Example
A breakdown of how to use the WordPress repository details to analyze a plugin.

Here’s what you need to look for:

  1. First and foremost, the reputation of the plugin developer. If you don’t recognize them, do your research to verify their credibility.
  2. Frequency of updates also matters as a website that goes untouched or unmaintained for more than a few months can be a serious sign of trouble; maybe not that it’s a fake, but that it’s abandoned and has no support available.
  3. You can usually tell a lot about the quality of a plugin based on how many people use it. I’d say that more than a few thousand is a safe number you can trust.
  4. The ratings go hand-in-hand with the number of users. A score below 4.5 should have you asking “Why?”
  5. Finally, you should explore the actual comments users left when they rated the plugin. This will give you a better look at recurring issues with the plugin. Any notes on security and you should ditch the plugin immediately.

If you find a plugin outside of the standard, reliable WordPress resources, then you’ll need to do research outside of them. A Google search is a good place to start as are WordPress forums. They’ll give you an idea of what sort of complaints or problems other users have run into.

2. Review the Code
The first thing you should do before installing a new plugin is inspect the file structure and make sure it looks legit. If it passes inspection, you can then take a closer look at the code. Even if you’re not a plugin developer, you’ll be able to spot potential issues with coding in the plugin’s files if you look close enough. If there are calls for sensitive information which do not belong there, then you’ll know something’s up.

3. Review Your Theme
Have you heard of the TimThumb or Slider Revolution exploits? While these weren’t cases of fake plugins, their vulnerabilities were able to slip through the cracks because of how they were used.

Some WordPress themes will include a bundled set of plugins within them. This may seem convenient to have all that built-in functionality ready to go, but it can pose serious problems if the theme developer does not stay attuned of plugin security exploits and issue updates of them to users.

So, do yourself a favor, and review your theme to see if it includes any plugins within it. TimThumb, Slider Revolution, and Gravity Forms are three of the most problematic plugins when left un-updated, so those will be your first red flags. In general, though, it’s a good idea to know what you’ve got in there in case a new exploit or fake plugin is detected.

4. Use a Vulnerability Scanner
A vulnerability scanner might not be able to catch a fake plugin for what it is, but it will definitely let you know when malware, spam, or some other infection is detected.

5. Use a Security Plugin

Fake WordPress Plugins - Defender Plugin for security
The Defender security plugin from WPMU DEV.

Security plugins have a number of responsibilities on your site; one of them being to inform you when plugins are removed from the WordPress repository or have otherwise been flagged.

6. Manage and Maintain Your Plugins
If only plugins were a one-and-done kind of thing. Unfortunately, these helpful WordPress assistants need regular attention and love. Here is what you can do to properly manage and maintain your list:

  • Keep all of your plugins (as well as the WordPress core and your theme) up-to-date.
  • Delete any old or unused plugins.
  • Immediately toss out any fake WordPress plugins or those with serious underlying security or performance issues. Reference this list from SiteLock to see if you have any right now.

7. Review Your Site After Plugin Installation
Any time you install a new plugin or issue an update to one, be sure to review the live website. Many users weren’t even aware they had fake plugins installed until they noticed spam ads popping up on their blog.

8. Use the WPScan Vulnerability Database

Fake WordPress Plugins - WPScan Vulnerability Database
A glance into the WPScan Vulnerability Database.

This online tracker keeps a running list of detected vulnerabilities in WordPress, plugins, and themes. If you’re concerned that a plugin you’re using may have problems, use this as a reference point. As a matter of fact, subscribe to their alerts so you’ll always know going forward when an issue has been flagged in WordPress.

9. Trust Only the Best
When in doubt, source your WordPress plugins only from the best. If you’re worried this will take up more of your time as you scour the repository and CodeCanyon for well-reputed developers, don’t be. WPMU DEV offers a cache of plugins that cover nearly all the bases you’d need for a high-performance site.

Wrapping Up

Even with the strictest security standards in place, hackers will find a way to exploit known WordPress vulnerabilities. Unfortunately, one of those weaknesses is our reliance on plugins to handle a good portion of work on our behalf.

That’s of course not to say that you should stop using WordPress plugins. It simply means you need to be more vigilant and also a bit wary when deciding which plugins to use on your WordPress site. So long as you adhere to plugin best practices and trust only well-known and thoroughly vetted third parties to provide your site with enhanced features and functionalities, you should find that fake plugins are of little concern to you.

Suzanne Scacca
Have you ever encountered a fake plugin in your travels through the WordPress plugin repository or anywhere else on the web?