Plugins can expand your site’s functionality. However, it’s not uncommon for attackers to use these tools to inject malware or steal data. If you come across an unrecognized pluginA plugin is a software component that adds specific features and functionality to your WordPress website. Esse… More on your site, you’ll need to take immediate steps to remove it.
The good news is that it’s easy to delete an unwanted tool and its associated malware. Once you’ve done that, you can start monitoring your plugins and limit permissions to help prevent this problem in the future.
In this article, we’ll talk about the importance of monitoring the plugins on your site. Then, we’ll go over what to do if you run into an unrecognized WordPress plugin. Let’s get to it!
Why You Should Monitor Plugins on Your Site
If your site relies on plugins to run smoothly, you’ll need to keep a close eye on them. Monitoring plugins involves the following tasks:
- Checking for updates. If you don’t update plugins periodically, your site becomes more vulnerable to attack. Plus, outdated plugins can stop working or create conflicts with other tools.
- Removing plugins you no longer use. Over time, you’ll likely stop using some of the plugins on your site. It’s important that you deactivate and delete any plugins you no longer need. This can help reduce security risks and minimize performance issues.
- Monitoring for plugins you don’t recognize. If you have a website with dozens of plugins, it’s easy to miss one or two of them. You might spot a plugin you don’t recognize, but assume that you installed it at some point in the past (or someone else did).
Running into plugins you don’t recognize is more common if there are multiple people working on your site. Depending on their user rolesIn WordPress, a user role is a set of permissions that determines what actions a user can perform on a website… More, they might be able to install plugins.
In this scenario, it’s easy to assume someone else installed a plugin and ignore the issue. However, it could have been added to your site by a malicious third party.
Every plugin on your website should have a clear purpose. If it doesn’t fulfill a task and there’s no clear reason for the plugin to be there, you’ll need to disable it and make sure that it hasn’t compromised your data.
How to Deal With Unrecognized WordPress Plugins (In 3 Steps)
In this tutorial, we’ll look at the safest way to deal with a plugin you don’t recognize.
If you’re confident that the plugin is safe, you can simply deactivate and uninstall it. However, if you don’t know how it ended up on your site, you’ll need to run some security checks.
Step 1: Check Your Site for Malware
Plugins infected with malware are relatively common if you venture outside official repositories such as WordPress.org. Attackers often offer premium plugins for free, which gets people to install infected files on their sites.
If you think a plugin you don’t recognize might be malicious, your first move should be to check the site for malware. There are several ways to do this in WordPress, including:
- Using a security plugin. A lot of popular security plugins include built-in malware scanners. These tools scan your site against vulnerability databasesA database is an organized collection of data stored and accessed electronically. It is a crucial component of… More to see if there’s malware on your site.
- Scanning your website using WP-CLI. If you use WP-CLI, you can scan your site for malware by leveraging the WPScan vulnerability database.
- Using a third-party site scanner. There are free vulnerability scanners you can use simply by entering your site’s URL. These scanners typically don’t have full access to your content, but they can provide quick results.
One example of a free malware scanner you can use is Sucuri SiteCheck:
You can start by using a third-party site scanner then move on to other options if you want to dig a little deeper. If multiple tools show that your site is clean, you can discard the possibility of malware.
Step 2: Check Your Site’s Activity Logs
After checking your site for malware, your next step is to see who installed the plugin you don’t recognize. The bad news is that WordPress doesn’t provide thorough activity logs by default.
If you’re not using an activity log plugin already, this is the right time to install one. Activity log plugins enable you to see everything that happens on your site.
Depending on the plugin, it will display information such as new postsA post is a type of content in WordPress, a popular open-source content management system used for creating an… More, edits to pagesIn WordPress, a page is a content type that is used to create non-dynamic pages on a website. Pages are typica… More, and who installed or activated which plugin (and when):
For example, Activity Log gives you control over what events you want to track. You’ll also get access to logs that cover everything that goes on in your site.
If you don’t have an activity log set up, your only way of checking who installed a plugin is to ask around. You’ll want to focus on users with roles that enable them to install plugins.
Step 3: Disable and Uninstall the Plugin
After checking if there’s malware on your site and who installed the plugin, all that’s left to do is to remove the unwanted software. However, uninstalling a plugin can inadvertently damage your site if you don’t know what it does.
If you’re certain that the plugin isn’t important to the site and it’s not powering any critical features, you can disable and uninstall it as you would any other tool:
If you’re still not sure what the plugin does or if it’s important, the safe approach is to disable it in a staging environment. This will enable you to see whether the absence of that tool will have any negative impact on your site.
If your site still works smoothly after deleting the plugin, you can push the changes live. You’ll also want to take steps to ensure that no other users can install plugins without your permission.
Conclusion
Monitoring your WordPress plugins can help you ensure that nothing is amiss. For example, it helps you identify any suspicious tools on your site. Another user could have installed a plugin without your permission, making your site vulnerable to attack.
If come across a plugin you don’t recognize, here’s what you’ll need to do:
- Check your site for malware.
- Check your site’s activity logs.
- Disable and uninstall the plugin.
Do you have any questions about what to do if you see a plugin you don’t recognize? Let us know in the commentsComments are a feature of WordPress that allow users to engage in discussions about the content of a website. … More section below!