There are over a billion websites. It’s much easier for hackers to exploit a single vulnerable resource that connects to countless websites than to go after them one at a time. This is why WordPress plugins are a popular way in which hackers break into websites.

So, let’s talk about what happens when one of your installed WordPress plugins is compromised. We’ll look at:

• Some recent examples of hacked plugins.
• The ramifications of having one of them on your website.
• What steps you can take to re-secure your site and reduce the chances of your site being infected or exploited again.

Here are some examples of hacked plugins from 2024 and the wide-ranging impact they had on the WordPress community. 

In June 2024, it was discovered that a supply chain attack breached not one, but nine WordPress plugins. 

The malware distributed during this supply chain attack did a number of things to websites with these plugins installed. 

For starters, it added a new admin account to the website, which gave the attacker full control. Also, it added malicious JavaScript to the footer, which distributed SEO spam throughout each site. 

On June 22, 2024, the WordPress plugin review team posted a message to the board of the Social Warfare social media sharing plugin. It read:

“The WordPress.org Plugin Review Team was notified that a malicious actor had taken over Social Sharing Plugin – Social Warfare. As a result, versions 4.4.6.4 to 4.4.7.1 of the plugin created users with administrative privileges.

The Plugin Review Team has disabled it and released a ‘clean’ updated version: 4.4.7.3. Please update immediately.

If you have used versions 4.4.6.4 to 4.4.7.1 of the Social Warfare plugin, we strongly recommend you do an in-depth review of your site’s activity and user account details.”

This alert caught the attention of Wordfence two days later. The team analyzed the infected file and checked it against their Threat Intelligence platform. They discovered that four other WordPress plugins contained the same malicious code: 

• Blaze Widget
• Wrapper Link Element 
• Contact Form 7 Multi-Step Addon 
• Simply Show Hooks

That wasn’t the end of this saga. On June 28, Wordfence discovered four more compromised plugins: 

• WP Server Health Stats
• Ad Invalid Click Protector (AICP)
• PowerPress Podcasting plugin by Blubrry (powerpress)
• Seo Optimized Images (seo-optimized-images)

Unlike Social Warfare which was patched, some of these plugins have been delisted. For instance, this is what the plugin page looks like for BLAZE widget:

There’s a warning at the top of the screen that reads: 

“This plugin has been closed as of June 24, 2024 and is not available for download. This closure is permanent. Reason: Security Issue.”

Although you can still see these plugin pages in the repository, no one will be able to install or use them in the future.

Unlike the supply chain attack which didn’t impact any super popular plugins, the Really Simple Security plugin exploit affected over 4 million websites. Yikes.

On November 6, 2024, Wordfence discovered the critical authentication bypass vulnerability. 

It gave the hacker the ability to access and exploit any users’ accounts (including the admin) when Really Simple Security’s two-factor authentication was enabled. 

Wordfence contacted the plugin author the same day and received a response back on November 7. The patched update was released to Pro users on November 12 and Free users on November 14. In conjunction with WordPress, they attempted to force-install the critical update on anyone’s site who had the vulnerable version of the plugin. 

In addition, the author emailed its users early on the morning of November:

This type of swift and widespread response was critical, considering the threat level of this particular exploit. 

Although WordPress has long been able to force critical security updates like this one, it doesn’t always work as intended. 

In fact, I learned about this attack because one of my WordPress students received the email above. When we went into her site, I saw that she still had the vulnerable version of the plugin installed. For some reason, the force-patch didn’t work. To make matters worse, her web developer was unaware of the vulnerability, too. So, it was this email that brought her attention to the matter.

According to Patchstack’s State of WordPress Security in 2024, 97% of the WordPress software vulnerabilities they discovered were attributed to plugins. WordPress themes accounted for 3% and the WordPress core for 0.2%.

This doesn’t mean that WordPress plugins are generally unsafe to use. Nor does it mean that having a vulnerable plugin installed automatically means your website has been infected.

Most plugin authors do a great job of monitoring their software, removing bugs and malware, and quickly sending patches out to end users via updates. However, unless those updates are set to automatically go through on every WordPress website, that’s when it becomes an issue.

According to Patchstack:

42% of WordPress sites in 2023 had at least one vulnerable piece of software installed

So, running outdated versions of WordPress plugins is a problem. But that’s not at all. Abandoned plugins are hugely problematic as well. 

According to WPScan’s 2024 Website Threat Report, they informed WordPress about 827 plugins and themes that had been abandoned by their developers. Only 58.16% of them were permanently removed from the repository on wordpress.org. What’s more, many of those that remained contained vulnerabilities. 

As the report notes: 

“We reported 404 of those plugins in a single day to draw attention to the ‘zombie plugin pandemic’ in WordPress. Such ‘zombie’ plugins are components that seem safe and up-to-date at first glance, but may contain unpatched security issues. Furthermore, such plugins remain active on user sites even if they are removed from the WordPress plugins repository.”

As a result, this puts a lot of the responsibility of ensuring plugin integrity on website designers, developers, and owners. 

With how pervasive of an issue this is, unpatched, unmanaged, and abandoned WordPress plugins create tons of work and headaches for web developers and designers. Not only do they force you to drop everything to manage the plugin patch and website repair, but they can put you in a tenuous position with the website owner (i.e. your client or employer). 

Because, let’s face it, they’re not going to get mad that a plugin was poorly coded or managed. They’re going to care that you vetted it and then used it on their site. They’re especially going to care if their website is defaced, taken offline, or blacklisted as a result. And they’re going to be even more irate if their end users’ private data is stolen and exploited. 

WordPress plugins are not the problem. We’re able to accomplish incredible things in web design and development—and easily, too—thanks to plugins. 

Owing to WordPress’ widespread use, its vulnerabilities are well-known to bad actors. All it takes is one small misstep when coding a plugin to let one of them in. Or for a plugin to go unmanaged for so long that someone with bad intentions finally manages a way to exploit it. 

As someone who uses WordPress plugins, you can’t stress about that. Instead, what you need to focus on is what to do if or when one of your installed plugins has been compromised:

If you learn that one of the plugins you use has a vulnerability, see if you can find information on what it is and how it works. 

Your plugin author may send you a notice (as Really Simple Security did) explaining the incident. It’s also a good idea to refer to WordPress security sources like Patchstack, WPScan, and Wordfence which regularly monitor and report on vulnerabilities. 

For example, Wordfence regularly updates its vulnerability database and organizes it by plugins, themes, and core:

By educating yourself on the nature of the vulnerability, you’ll know what to look for when cleaning up and repairing your website. 

Unless a WordPress plugin has been abandoned, the plugin author should have a patch ready soon after the vulnerability is detected. 

While WordPress has had the ability to force a critical security update since around 2015, it isn’t always a foolproof method (as evidenced by my student’s website). 

If you don’t have automated plugin updates set up, then you’ll need to log into WordPress and manually push through the patch as soon as it’s available. It’s a good idea to log in and confirm it happened regardless.

For reference, you can enable auto-updates from the WordPress Plugins screen. There’s a button that appears directly to the right of your plugins that looks like this:

Depending on the severity of the vulnerability or the history you have with the plugin, you might decide it’s best to deactivate and delete it altogether. 

If that’s the case, go to your preferred plugin repository like WordPress.org or CodeCanyon. 

There are certain things to look for when vetting WordPress plugins. For instance, Simply Show Hooks was one of the impacted plugins in the supply chain attack.

The red warning at the top of the page is a clear sign to stay away. However, if you look at the data on the right, there are a couple more red flags. 

For instance, the last time the plugin was updated was 8 years ago. Also, it was only tested up to WordPress version 4.6.29. We’re currently at 6.7.1.

If you’re purchasing premium WordPress plugins from CodeCanyon, there are other things to look for. Let’s look at this example of Filter Everything:

Here’s what you should pay attention to: 

Reviews and Comments: The overall rating is important as it tells you a lot about the quality of the plugin and support provided. However, you can also search the Comments for keywords like “security” and “vulnerability” to see if there have been issues in the past and to see how they were handled.

Live Preview: Take a look at how the landing page or the plugin demo work. If the page is broken or severely outdated, then that’s a good sign to stay away.

“Quality checked by Envato”: In the licensing/pricing box in the top-right, you’ll see this notice. Having Envato’s seal of approval on a plugin is a must.

Author Status: On the right, you’ll not only see the author’s status, but also their accolades. For instance, Stepasyuk has the following: 

• Elite Author
• Featured Item
• Top Monthly Author
• Trendsetter
• Weekly Top Seller
• Author Level 9
• Collector Level 1
• Exclusive Author
• 11 Years of Membership

If you want to know if you can trust the integrity of the plugin and author, this section will provide you with proof.

Last Update: The last bit of info to check out is the last plugin update date. Ideally, it should be within the last three months. Six months maximum.

According to Sucuri’s 2021 Hacked Website Report: 

“Website owners are often averse to taking all the necessary post-infection steps, but if measures aren’t taken the attackers are likely to return.”

Updating an insecure plugin is an essential step. But even if your website seems fine, post-incident steps are necessary, too. 

Start by visiting your website. Go through as many pages as you can (this includes the page source code where possible) seeing if you spot any differences. Malware can take lots of forms, including SEO spam, redirects, defacing, code comments, or even the white screen of death. They’re not always obvious, but some you can spot on your own.

Next, do a security scan. Most WordPress security plugins have them. Not only can they tell you if malware is detected, but they often have a log containing recent file changes. If anything there looks suspicious, dig into it. 

Also, review your list of administrative users. Any that weren’t there before the incident or that you don’t recognize should be followed up on or deleted. 

You’ll want to remove unauthorized user access as well as to delete any malicious code and content injected into your site. If you’re not able to do that easily enough, consider rolling back your website to before the security breach date. You can do this with the help of a WordPress backup plugin or with any backups saved by your web hosting service.

To reduce the chances of another vulnerable plugin threatening your site or wreaking havoc on your workload, put a plugin auditing and management system into place. Here are some things to include: 

• Use a WordPress security plugin to fortify your site from within.
• Take advantage of your web host’s security features, including security scanners.
• Only install trusted, well-rated, and regularly maintained plugins.
• Automate updates for WordPress plugins you know you can trust.
• Log into your site and check on available updates every few days (at least).
• Back up your website before every major update.
• Audit your plugin list every three to six months.
• Delete unused plugins along with any data they stored on your server.
• Watch for outdated or abandoned plugin warnings and find suitable replacements ASAP.

It’s also a good idea to subscribe to at least one WordPress security blog, like Sucuri and Wordfence. Also, WordPress state-of-security reports (like the ones mentioned earlier in this post) are important reads. This way, you’ll be aware of common threats, know when one of your plugins has been hacked, and know which plugins to avoid as you look for new ones to try.

Knowing how vulnerable WordPress plugins can be to attack, there are certain steps you can take to ensure your website and end users aren’t seriously impacted if one of the plugins you use gets exploited. 

In addition to being more mindful about which plugins you install and keeping them updated, it’s a good idea to make security a priority in general when working with WordPress. 

For reference, while WordPress plugins are responsible for 97% of software-based vulnerabilities, Sucuri found that only 36% of the compromised websites they discovered in 2022 had a vulnerable theme or plugin installed. So, securing your site from as many angles as possible is a must.

Here’s some further reading with best practices to help you keep your WordPress website secure: