How to Prevent Fake Hidden Plugins from Reinstalling on WordPress

There is nothing more infuriating for a WordPress website owner than battling a “zombie plugin.”

You know the scenario: you find a suspicious, hidden plugin on your site—perhaps named something generic like “hellos,” “wp-zcp,” or “security-patch.” You delete it. You breathe a sigh of relief. Five minutes later, you refresh your file manager, and it’s back.

How does this happen? And more importantly, how do you stop something that keeps automatically reinstalling itself?

Recently, a clever WordPress user discovered a brilliant, low-tech solution that exploits the basic logic of computer servers to stop these reinfections in their tracks. It acts like a physical roadblock for malware.

Here is how to use the “Filesystem Block” technique to stop fake plugins from reappearing.

Why Does the Malware Keep Coming Back?

When your site is compromised, the hacker rarely just installs a bad plugin once. They usually leave behind a backdoor script or create a “cron job” (a scheduled server task).

This malicious script runs in the background every few minutes and checks: “Does the bad folder ‘wp-content/plugins/hellos’ exist?”

If you deleted it, the script says, “Nope, it’s gone. Time to recreate it.” It then downloads the malware again and rebuilds the folder. This is why you feel like you are fighting a losing battle.

The “Aha!” Moment: Exploiting Server Logic

The solution lies in a very simple rule that governs almost every operating system, including the Linux servers that run most hosting plans:

You cannot have a FILE and a FOLDER with the exact same name in the same location.

If you try to create a folder named my-stuff, but a file named my-stuff already sits there, the server will throw an error: “File exists.”

We can use this rule against the hacker.

If we know the malware wants to create a plugin folder named hellos, we can beat it to the punch by creating an undeletable file with that exact same name. When the malware script tries to run its “create folder” command, it hits a brick wall and fails.

Step-by-Step: How to Implement the Filesystem Block

This process works best if the malware is “dumb” and always uses the exact same name (e.g., it always tries to create “wp-security-check”).

Disclaimer: This is a hardening technique. You still need to find and remove the actual backdoor script that is attempting the reinstall, but this will stop the bleeding in the meantime.

Step 1: Identify the Enemy

Find the name of the fake plugin or theme folder. For this example, let’s say the bad folder is inside wp-content/plugins/ and is named: fake-plugin-xyz

1. First, delete that malicious folder completely.

Step 2: Create the Dummy File

You need to use your hosting File Manager (like cPanel) or FTP.

1. Navigate to the wp-content/plugins/ directory.

2. Create a new, empty file. (Make sure you select “File”, not “Folder”).

3. Name it exactly: fake-plugin-xyz

4. Crucial note: Do not add an extension like .txt or .php. Just the name.

Now, you have a empty file sitting where the malware wants its folder to be.

Step 3: Lock the File Down (Make it Invincible)

If the malware script is smart, it might try to delete your dummy file before creating its folder. We need to prevent that by changing the file permissions.

Using cPanel / File Manager:

1. Right-click on your new dummy file named fake-plugin-xyz.

2. Select Change Permissions or Permissions.

3. Uncheck every single box. The numeric value should be 000 (or sometimes 444 depending on your host).

4. Save.

By setting permissions to 000, you are telling the server: “Nobody can read this, nobody can write to this, and nobody can execute this.”

Now, when the hacker’s script tries to delete or overwrite your file, the server will deny permission, and the infection fails.

The “Nuclear Option” (For VPS/SSH Users)

If you are on advanced hosting with SSH terminal access, you can use an even stronger method called the “immutable attribute.” This stops even the root user from accidentally deleting it.

Run this command in the plugins directory: chattr +i fake-plugin-xyz

To remove the file later, you would need to use chattr -i fake-plugin-xyz first.

Limitations of This Method

This trick is incredibly effective against automated bots, but it is not a cure-all.

• Randomized Names: If the malware is sophisticated and generates a new, random name every time it reinstalls (e.g., plugin-a8j2, then plugin-k9c1), this trick won’t work because you can’t predict the name to block.

• Root Access: If the attacker has managed to gain “root” (super-admin) access to the entire server, they can override your permissions. Fortunately, most shared hosting hacks do not have this level of access.

Summary

Using a dummy file to block malicious folders is a fantastic, clever example of using basic system logic for security hardening. It acts like a digital “Do Not Enter” sign that automated malware scripts can’t ignore. It buys you crucial time to find the actual source of the infection and clean your site properly.