Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Plugins Found on 25,000 WordPress Websites: Study

Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.

Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.

An analysis of nightly backups of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today.

Over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces such as CodeCanyon, Easy Digital Downloads, and ThemeForest. The majority of these plugins did not use obfuscation to hide their malicious behavior, the academics say in a research paper.

The dataset used for the research spanned over a period of eight years, between July 2012 and July 2020, and revealed a steady increase in the number of installed malicious plugins, with the activity reaching a peak in March 2020.

According to the researchers, adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware via pirated plugins.

“While the website owners trusted the plugin ecosystem and spent a total of $7.3M on only the plugins in our dataset, we found that this trust is often broken for the attackers’ monetary gains,” the academics say.

For their analysis, the researchers built an automated framework for malicious plugin detection and tracking, called YODA, which was deployed against the dataset of 400,000 web servers belonging to customers of website backup provider CodeGuard.

Of the identified malicious plugins, more than 10,000 used webshells and code obfuscation. The researchers also identified cases of plugin-to-plugin infection, where a malicious plugin infects other plugins on the same web server, replicating its behavior.

Overall, more than 40,000 of plugin instances were infected post-deployment. In many cases, attackers abused the infrastructure to inject malicious plugins into websites, and then attempted to maintain access to the web servers.

Some of the behaviors in the identified malicious plugins were popular in late 2012, while others were introduced more recently. Regardless of age, however, the behaviors remain prevalent in present-day malicious plugins.

The researchers also discovered more than 6,000 plugins that impersonated benign plugins available through legitimate marketplaces, while offering a trial option to website owners, something that is not typically available in most paid plugin marketplaces.

The results of the analysis were reported to CodeGuard and work is underway to remediate the situation. However, the academics say that only 10% of website owners were seen attempting to clean up their installations, and more than 12% of the cleaned-up websites were reinfected.

Related: Unpatched WPBakery WordPress Plugin Vulnerability Increasingly Targeted in Attacks

Related: Exploited Vulnerability Patched in WordPress Plugin With Over 1 Million Installations

Related: Large-Scale Attack Targeting Tatsu Builder WordPress Plugin

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.