Comprehensive List of Known Fake and Malicious WordPress Plugins

WordPress security remains a critical concern for website owners, and one of the most insidious threats comes from fake and malicious plugins. These harmful plugins are designed to compromise your website’s security, steal sensitive data, or inject backdoors that give attackers unauthorized access to your site.

Important Warning: The plugins listed below are NOT available in the official WordPress repository and should never be installed on your website. These plugins have been identified by security researchers as containing malicious code and are used by cybercriminals to compromise WordPress installations.

How These Malicious Plugins Work

Fake WordPress plugins typically employ several malicious techniques:

• Backdoor Installation: Creating unauthorized admin accounts or hidden access points
• Data Exfiltration: Stealing admin credentials, user data, or sensitive information
• Malicious Redirects: Redirecting visitors to scam sites or installing malware
• Code Injection: Injecting harmful JavaScript or PHP code into your website
• Plugin Enumeration: Scanning and potentially disabling legitimate security plugins

Complete List of Known Malicious WordPress Plugins

Below is a comprehensive table of identified fake and malicious WordPress plugins. Each entry includes the plugin name and a description of its malicious behavior:

Plugin Name	Description / Campaign
pluginmonsters / pluginsamonsters	Backdoor plugin hiding itself via all_plugins hook
ls-oembed	Companion fake plugin to PluginMonsters, includes uploader
universal-popup-plugin-v133	Delivers deceptive “fix it” pop-ups to install Trojan
wp-runtime-cache	Caching plugin that steals admin credentials via POST
WP-antymalwary-bot.php	Fake security plugin enabling remote admin access
addons.php	Variant name for WP-antymalwary-bot campaign
wpconsole.php	Variant name for WP-antymalwary-bot campaign
wp-performance-booster.php	Variant name for WP-antymalwary-bot campaign
scr.php	Variant name for WP-antymalwary-bot campaign
Admin Bar Customizer	ClickFix fake plugin; injects malicious JS from abc-script.js
Advanced User Manager	ClickFix fake plugin; injects malicious JS from aum-script.js
Advanced Widget Manager	ClickFix fake plugin; injects malicious JS from awm-script.js
Content Blocker	ClickFix fake plugin; injects malicious JS from cb-script.js
Custom CSS Injector	ClickFix fake plugin; injects malicious JS from cci-script.js
Custom Footer Generator	ClickFix fake plugin; injects malicious JS from cfg-script.js
Custom Login Styler	ClickFix fake plugin; injects malicious JS from cls-script.js
Dynamic Sidebar Manager	ClickFix fake plugin; injects malicious JS from dsm-script.js
Easy Themes Manager	ClickFix fake plugin; injects malicious JS from script.js
Form Builder Pro	ClickFix fake plugin; injects malicious JS from fbp-script.js
Quick Cache Cleaner	ClickFix fake plugin; injects malicious JS from qcc-script.js
Responsive Menu Builder	ClickFix fake plugin; injects malicious JS from rmb-script.js
SEO Optimizer Pro	ClickFix fake plugin; injects malicious JS from sop-script.js
Simple Post Enhancer	ClickFix fake plugin; injects malicious JS from spe-script.js
Social Media Integrator	ClickFix fake plugin; injects malicious JS from smi-script.js
X-WP-SPAM-SHIELD-PRO	Fake anti-spam plugin that enumerates/disables plugins
wpyii2	Bogus Yii integration plugin; header spoofing backdoor
M-Shield / kingof	Fake malware dropper masquerading as plugin “M-Shield”
instigators (e.g., initiatorseo)	Fake UpdraftPlus-style backdoor uploader
php-ini.php	Fake plugin that creates hidden admin user “mr_administartor”
wp-base-seo	Forgery of WordPress SEO Tools; base64-encoded backdoor
popuplink.js (index / wp_update)	Redirects to scam sites via JS loaded from fake plugin

Protection Strategies

To protect your WordPress website from malicious plugins, follow these essential security practices:

1. Only Install Plugins from Official Sources

Always download plugins from the official WordPress Plugin Repository or directly from reputable developers’ official websites. Avoid downloading plugins from third-party sites, especially those offering “premium” plugins for free.

2. Regular Security Scans

Implement regular security scanning using trusted WordPress security plugins like Wordfence, Sucuri, or MalCare. These tools can detect and alert you to suspicious plugin activity.

3. Keep Everything Updated

Regularly update WordPress core, themes, and plugins. Security patches often address vulnerabilities that malicious plugins exploit.

4. Monitor User Accounts

Regularly review your WordPress admin users. Remove any unauthorized accounts and be suspicious of users with names like “mr_administartor” or other unusual variations.

5. File Integrity Monitoring

Use security plugins that monitor file changes and alert you to unauthorized modifications to your WordPress installation.

What to Do If You’ve Installed a Malicious Plugin

If you suspect you’ve installed one of these malicious plugins:

1. Immediately deactivate and delete the plugin from your WordPress admin panel
2. Change all passwords for admin accounts, hosting, and database access
3. Run a comprehensive security scan using a trusted security plugin
4. Check for unauthorized admin users and remove any suspicious accounts
5. Review recent file changes and restore from clean backups if necessary
6. Consider hiring a WordPress security expert for thorough cleanup if the infection is severe

Conclusion

WordPress security is an ongoing responsibility that requires vigilance and proactive measures. By staying informed about known malicious plugins and following security best practices, you can significantly reduce your website’s vulnerability to these threats.

Remember: when in doubt about a plugin’s legitimacy, it’s always better to err on the side of caution. The convenience of a questionable plugin is never worth the risk of compromising your entire website and your visitors’ safety.

Stay safe, stay updated, and always verify the source of any plugin before installation.