Hidden WordPress Plugins Running In the Background

When looking at the WordPress plugin page /wp-admin/plugins.php you’d assume you’re seeing all of your plugins. Well, that’s not always true. Some active plugins take extra effort to hide themselves from /wp-admin/ and also WP-CLI. Let’s look at a few examples of these sneaky plugins.

Typically, the WordPress backend shows “all” plugins.

Detecting hidden plugins over SSH with WP-CLI

The following bash script will check the number of plugins seen through a regular request compared against a request with all themes and plugins excluded. If a different number is found, it will report the differences.

active_plugins=( $( wp plugin list --field=name --status=active ) )
active_plugins_raw=( $( wp plugin list --field=name --status=active --skip-themes --skip-plugins ) )

# Compare plugin count and report when different
if [[ "${#active_plugins[@]}" != "${#active_plugins_raw[@]}" ]]; then
    diff=$( echo ${active_plugins[@]} ${active_plugins_raw[@]} | tr ' ' '\n' | sort | uniq -u )
	echo "$( wp option get home ) shows ${#active_plugins[@]} plugins active when really there are ${#active_plugins_raw[@]} plugins active. Found culprits: $diff"

Common offenders include management plugins and white labeling solutions, however, this technique is also used by malicious plugins.

The two most common plugins I found were autoupdater and worker. The autoupdater plugin is Flywheel’s Managed Plugin Updates and worker is ManageWP. ManageWP isn’t always hidden so I suspect that happens when using their white labeling feature. I’ve also noticed a number of child themes include a hidden plugin which also handles additional white labeling.

Recently I was cleaning a customer’s website from malware when I came upon into these hidden plugins. My monitor alerted me to an issue with a plugin. When I checked both the WordPress administrator and over WP-CLI the plugin didn’t show. Then running wp plugin list --skip-plugins revealed the missing plugin. The plugin was malware and was avoiding detection.

You cannot do much to stop a plugin from hiding itself. WordPress is open and you, the developer, have lots of power. This is just another trick to be aware of especially when removing malware from a WordPress website.