Plugins let you add and customize WordPress' features. WordPress keeps a repository of them available on their website here. However, you can also install plugins not on that list (i.e. not approved by WordPress). If you decide to, though, we urge you to be cautious — unofficial plugins are often maliciously designed and will harm your website and its visitors.
Malicious plugins can also affect your site if an attacker compromises your account. These plugins will grant the attacker access to your site, which they can use to upload malicious files or tamper with your site's existing content.
Malicious plugins can be found by reviewing the list of installed plugins in the WordPress admin screen (more info).
When reviewing the list, look for anything that you did not install or did not come installed with WordPress. You may also need to use the WordPress Plugin Directory (more info) or your favorite search engine for help determining if a plugin is legitimate.
In addition to reviewing the installed plugins in the admin screen, you should also check the
/wp-content/plugins/ directory within the site's file structure. You can do this via FTP (more info) or through your hosting account's control panel (more info).
You can find additional signs you've been compromised in My website was hacked. What should I do?.
You must remove all of the malicious plugin directories (more info).
If the malicious plugins are not listed in the plugins screen, remove the malicious plugin directory via FTP (more info) or through your hosting account's control panel (more info). Before deleting anything, we recommend making a backup of your website (more info).
You should also: