When looking at the WordPress plugin page /wp-admin/plugins.php you’d assume you’re seeing all of your plugins. Well, that’s not always true. Some active plugins take extra effort to hide themselves from /wp-admin/
and also WP-CLI. Let’s look at a few examples of these sneaky plugins.
Detecting hidden plugins over SSH with WP-CLI
The following bash script will check the number of plugins seen through a regular request compared against a request with all themes and plugins excluded. If a different number is found, it will report the differences.
active_plugins=( $( wp plugin list --field=name --status=active ) )
active_plugins_raw=( $( wp plugin list --field=name --status=active --skip-themes --skip-plugins ) )
# Compare plugin count and report when different
if [[ "${#active_plugins[@]}" != "${#active_plugins_raw[@]}" ]]; then
diff=$( echo ${active_plugins[@]} ${active_plugins_raw[@]} | tr ' ' '\n' | sort | uniq -u )
echo "$( wp option get home ) shows ${#active_plugins[@]} plugins active when really there are ${#active_plugins_raw[@]} plugins active. Found culprits: $diff"
fi
Common offenders include management plugins and white labeling solutions, however, this technique is also used by malicious plugins.
The two most common plugins I found were autoupdater
and worker
. The autoupdater
plugin is Flywheel’s Managed Plugin Updates and worker
is ManageWP. ManageWP isn’t always hidden so I suspect that happens when using their white labeling feature. I’ve also noticed a number of child themes include a hidden plugin which also handles additional white labeling.
Recently I was cleaning a customer’s website from malware when I came upon into these hidden plugins. My monitor alerted me to an issue with a plugin. When I checked both the WordPress administrator and over WP-CLI the plugin didn’t show. Then running wp plugin list --skip-plugins
revealed the missing plugin. The plugin was malware and was avoiding detection.
You cannot do much to stop a plugin from hiding itself. WordPress is open and you, the developer, have lots of power. This is just another trick to be aware of especially when removing malware from a WordPress website.