Support » Developing with WordPress » Unusual plugins detected on WP site

  • gettingitdone



    I’ve checked a WP website I manage today and have noticed two new plugins not shown on the main plugin page. They are called “wp-dms-registry” and “wp-task-manager”.

    Wp-dms-registry consists one a single index file. Its internal description is

    Plugin Name: WP System Cache
    Plugin URI:
    Description: Official WordPress plugin
    Author: WordPress
    Version: 14.2.9
    Author URI:

    wp-task-manager consists of class-scheduler.php, index.html, index.php, scheduler.pnp, and wrapper.php. Its internal description is

    Plugin Name: Task Agent
    Plugin URI:
    Description: Used by millions, Task Agent is quite possibly the best way in the world to protect your blog from spam. It keeps your site protected even while you sleep. To get started: activate the Task Agent plugin and then go to your Task Agent Settings page to set up your API key.
    Version: 7.8.1
    Author: Automatic
    Author URI:
    License: GPLv2 or later
    Text Domain: Task Agent
    */ /*
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    GNU General Public License for more details. You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Copyright 2005-2020 Automatic, Inc.

    I’ve never seen these before and I can’t find them on’s plugin section. They seem suspicious. Anyone know more about them?

    The site’s WP version is 6.2.2 and it is hosted via GoDaddy’s WP site hosting service.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Gregor Wendland


    Hi @gettingitdone ,

    I would have the same feeling as you. I would take a deeper look to the code of those plugins. Maybe you can see something suspicious code.

    Was the website build by another one or did you have set it up? If you are the only technical manager of the site I would also say that this is suspicious!

    And I think it doesen’t look like GoDaddy would install these two plugins. GoDaddy would name itself as author, I think.

    Moderator bcworkz


    Have the plugins been activated? Or are they just installed and not active?

    If you’re the only WP user who is able to install and activate plugins and you didn’t add these, it’s likely your site has been hacked and the plugins could be malicious. But IME it’s unusual for hackers to add new plugins, it’s a little too obvious. Hacker code is usually more hidden. I suppose this could be a “hidden in plain sight” tactic. There’s a chance this is not a hack and it’s something more benign.

    If you suspect a hack, please work through the steps outlined in FAQ My Site was Hacked.

    Could it be removing the plugins will entirely clean up the site, that there is no other “backdoor” code left behind? Unlikely but possible. It’s certainly the easiest thing to try first in finding and removing a hack. (after resetting all access) If after a period of time the plugins return, seemingly on their own, then the site was not completely cleaned and a more diligent effort at clean up will be needed.

    If you have good, known clean backups of your site, wiping out everything and reinstalling from backup is a reliable way to fully clean the site. Sadly not everyone has good reliable backups. Without known clean backups, if simply removing the plugins does not fully clean the site, you may require professional help to fully clean the site.



    A new client called today saying his WP was hacked and only his Homepage was working.

    I just noticed he’s got “WP Task Agent” installed too, which I can’t find info about in Google.

    And what calls a heap of attention from your message is these 2 things:

    1. it says that Author is Automatic … when the company that owns WP is actually called Automattic (with 2 TT at the end) !!!
    2. And the Author URI reffers to a generic webpage with no info about tis specific plugin:

    I still haven’t got FTP access but if it looks like shit and smells like shit, most probable it’s shit!

    What do you guys think?

    NOTE: after a deeper look into the his plugins list I can see that he’s got also installed File Manager (a real WP plugin which gives an Admin a FTP-like access to all the website files!) and 2 copies of another weird plugin called WP Base… and then I remembered that another client of mine had the SAME plugins installed in his hacked website !!!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.