admin-plugins author calendar category facebook post rss search twitter star star-half star-empty

Tidy Repo

The best & most reliable WordPress plugins

WordPress Plugins to Avoid as They Might Contain Malicious Code

WordPress Plugins to Avoid as They Might Contain Malicious Code

Vallery Henings

August 20, 2020 (modified on May 24, 2021)


You probably already know that WordPress plugins are designed to enhance the performance of WordPress sites. Unfortunately, not all plugin extensions can be labeled as safe as some have reportedly been found with malicious code.

The presence of malware in WordPress plugins is the last thing any WordPress site owner wants to hear of or deal with, as private information or data can be easily compromised.

It is for that reason that site owners should watch out for the most vulnerable plugins as they are the easiest malware carriers. The weaknesses in these plugins are what make it easy for hackers to launch attacks on targeted sites. You can, however, keep tabs on your site’s login activity as it is one of the ways through which hackers can be detected.

On a positive note, you can detect malicious code in WordPress plugins by investing in antivirus software or VPNs with inbuilt malware detection features. On the VPN matter, visit this review and the Avast license activation code guide for full details on how to set up a secure VPN service.

What Do The Malicious Codes Do?

Hacked website

First, it is important to note that malicious codes take several forms which are as follows:

  • SQL Injections
  • Arbitrary File Upload
  • Cross-Site Request Forgery
  • Cross-Site Scripting
  • Arbitrary File Viewing

Some of the things that compromised plugin code could be used for include creating new user accounts which can then be used to redirect unsuspecting users to malicious websites. Hackers could also get to view confidential and sensitive files and worse, get away with it.

The codes can also enable hackers to access user accounts and pose as administrators and proceed to upload images or posts on the attacked site.

Hacker with mask

Back to WordPress plugins that could be hosting malicious code. Here is a list of some that you should avoid at all costs:

The above mentioned are just a few among the many plugins that you should vet before installing as a WordPress extension.

These are plugins with over 1 million installations so you can imagine how many websites end up affected by the presence of malicious codes in them.

That is why you ought to do some background research before installing a WordPress plugin. Another pitfall you should avoid is that of installing WordPress plugins based on popularity as this can be misleading in terms of functionality.


Do not forget your role as a WordPress site owner in making sure that the plugins you are using are updated. Plugin developers make the effort of releasing new plugin updates from time to time which helps seal security loopholes in the vulnerable plugins. Poorly maintained plugins are a recipe for disaster.