- Oct 22, 2014
- by Dave Matteson
From time to time, our support team receives the following question:
I installed a security plugin and some of my other plugins disappeared. What happened?
If you have plugins unexpectedly disappear when you are updating, deleting or adding plugins, your site has likely been compromised. This does not mean the new plugin you just added was the cause of the compromise; this simply means by modifying your plugins, WordPress has performed a basic check on all plugins that are installed and has removed any plugins that had code injected above the meta data for the plugin.
So what’s really going on when the plugins disappear?
When the plugins disappear, WordPress is just ignoring the files for missing metadata. This is usually caused by code injection near the top of the file. This is not a security feature of WordPress; Instead, it is a byproduct of WordPress requiring a specific comment at the beginning of each plugin describing things like the plugin’s name, author, copyright, and version. WordPress no longer recognizes the plugin so it effectively disappears from the wp-admin; however, the files are still in the plugin directory.
What is code injection?
Many exploits to plugins and themes in WordPress will take advantage of the fact that WordPress executes the code present in the main file of each active plugin on every page load. When infected files are executed, they will also seek out other files to compromise and very quickly every PHP file on a site will have several new lines of code in them for any number of evil reasons. The lines of code that are copied into each php file are known as injected code.
Why do hackers inject code?
Code injection is a common way hackers use WordPress to send SPAM, advertise their hacker group or to even perform a Distributed Denial of Service (DDoS) attack. The code is executed at least once on every page view of your site, causing the hack to perform its task over and over again. If the purpose of the hack is to send spam from your account: SPAM will be sent out from your site every time a user visits a page.
Why did I not know I was hacked until now?
If a hacker is using your site for evil, they generally do not want you to know that they have compromised your site. The longer a hacker can have control over your site without you knowing, the more money they can make off of having your site compromised.
Bottom Line; when you discover this problem of one or more plugin disappearing, you need to quarantine and clean the files by installing a virus scanner.