How to Track Silently Installed Plugins in WordPress

Have you ever found a plugin on your WordPress site that you didn’t install?

You’re not alone.

Last month, I wrote about a WordPress mystery. People told us that plugins on their sites were silently deactivated.

Logtivity is an activity log, so we needed to make sure we tracked these changes.

That post lead to other people contacting us with a similar but slightly different problem. Sometimes plugins were silently installed on their sites.

In this blog post, I’ll explain why these silent plugin installs happen and what you can do about them.


Possible reasons for silent plugin installs

There are several reasons why you might find mystery plugins installed on your site. Here are some of the most popular:

  1. Hosting companies: Almost every WordPress hosting company automatically installs their own plugins on customer sites. I want to stress that this isn’t a bad thing, but it’s very helpful to be alerted when this happens. Here are just a few of many examples:
    • Cloudways has a plugin called “Malcare” that they use for spam prevention. They also install plugins called Breeze and Object Cache Pro.
    • Siteground has a plugin they call “Speed Optimizer“.
    • Kinsta installs several plugins in a folder called “kinsta-mu-plugins”. Pantheon does something similar with this plugin and WordPress VIP does also with these plugins.
    • WordPress.com can install up to 10 different plugins.
    • Bluehost installs Yoast SEO and a suite of other plugins.
    • Hostinger installs an onboarding plugin, an AI plugin and more.
    • Flywheel installs a custom version of a plugin called “Limit Login Attempts”.
    • Dollie installs the “Powered Cache” plugin.
    • WPMU Dev installs many of their own plugins Smush, Defender, Hummingbird, Forminator, Smartcrawl, and WPMU Dev Dashboard.
  2. Hackers: One of the first things many hackers will do is install a plugin on your site. We shared details of how this happened to a Logtivity customer. All the details were recorded by Logtivity, including the installation of a new plugin.
  3. Plugin developers: There are some WordPress plugin developers who will discreetly install other plugins when you install one of their plugins. Normally this is done during an onboarding process. There are often automatically checked boxes and if you don’t uncheck them, the developer will install their other plugins.

Good news: you can track silent plugin installs

Here at Logtivity, our activity log will track silently installed plugins. Most activity log plugins will not track these installs, but we’ve been working hard to make sure we catch these important changes to your site.

Let’s show several examples, covering different ways that these plugins can be installed.

#1. Plugins installed by hosting companies

First, let’s look at plugins installed by hosting companies. One caveat here is that some of these installs happen when you first set up your site, and before you can install Logtivity. However, we’ve heard several stories of this happening long after the site has gone live.

This image below shows the activity log for a site on Cloudways. The log entry shows that the “MalCare” plugin was installed. Using the same technology that we used to track silently disabled plugins, we’ve added a new log called “Plugin Active State Changed”.

MalCare plugin installed by a hosting company

Here are the two log entries for this new plugin. There are no user details attached to either log because this was “Not done through UI”. Logtivity will automatically send you an alert for this.

While we haven’t been able to test every hosting company and the different ways they install mystery plugins, we’re confident we’re catching the vast majority of them. Here’s an example from another hosting company. This host installed the popular LiteSpeed Cache plugin. This was done using the popular WP-CLI tool, which is a command line interface for WordPress.

Litespeed plugin installed by a hosting company

#2. Plugins installed by hackers

Second, let’s take a look at plugins installed by hackers. In our story of tracking a WordPress hacker, we shared logs from that hack. These included the installation of a malicious plugin called “Wp Striplple”, as you can see in the screenshot below. If a hacker installs a plugin on your site, you can get notified immediately by Logtivity.

Plugins installed by WordPress hackers

#3. Plugins installed by plugin developers

Finally, let’s look at plugins installed together with other plugins. This screenshot below shows a common interface for installing other plugins. All these boxes are checked automatically. If you click the “Continue” button on this page, you’ll automatically have these four plugins installed.

Easy Digital Downloads plugin installs during onboarding

If you have Logtivity installed on your site, you’ll have a record of all these plugin installs. This screenshot below captures all four plugin installs:

Easy Digital Downloads plugin installs

Give Logtivity a try today

Logtivity makes WordPress activity logs simple. You get one activity log dashboard for all your sites. From the Logtivity app, you can see a live stream of everything happening on your sites.

Start your free Logtivity trial today. It’s only $1 per site per month.