We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality.
Malicious Plugins Sourced from UpdraftPlus
Attackers have been using different names for these fake plugins, including initiatorseo or updrat123—but any title can be used.
While their code differs in terms of variable names, the malicious plugins do share a few things in common: they possess a similar structure and header comments from the popular backup/restore plugin UpdraftPlus.