Knowledge Base

Disappearing WordPress plugins

This article discusses why WordPress plugins may disappear from the administration page, and what to do about it.

Problem

You install, update, or delete a WordPress plugin, and then some or all of your plugins disappear from the administration page.

Cause

If this problem occurs, your WordPress site has probably been compromised. However, this does not necessarily mean that a new plugin is the cause of the compromise. Whenever you modify a plugin, WordPress performs a basic check on all installed plugins, and removes any of them that have code injected above their metadata.

Many exploits for WordPress plugins and themes take advantage of the fact that WordPress executes the code present in the main file of each active plugin. If a site is compromised and code is injected into a plugin's main file, it executes and very often injects code into any other PHP files it can find. When these infected files are executed, they also seek other files to compromise. Very quickly, every PHP file on a site can have several new lines of code for any number of malicious reasons.

Many code injection-related compromises use WordPress to send spam, advertise a hacker group, or even perform a Distributed Denial of Service (DDoS) attack. The malicious code is executed at least once on every site page view, which means the hack performs its task at least once per site visit. So if the purpose of the hack is to send spam from your account (for example), e-mail messages are sent out from your site every time a user visits a page.

The fact that WordPress removes files that have missing metadata is not a security feature; if it were, WordPress would perform this check periodically and produce a useful warning to inform you of what happened. Instead, this is just a byproduct of WordPress requiring a specific set of data in a comment at the beginning of each plugin. This metadata contains the plugin name, plugin version information, a brief description of the plugin, links to the plugin homepage, and authorship information.

Resolution

To resolve this problem, follow the procedures described in the Cleaning up after a hack section of this article.