Georgia Institute of Technology researchers discovered malicious plugins on tens of thousands of WordPress websites.
Over 47,000 malicious plugins were discovered in an analysis of nightly backups of over 400,000 unique web servers.
Over 94% of these plugins (over 44,000) are still in use today.
Researchers discovered over 40,000 malicious plugins that were installed on 400,000 web servers owned by customers of website backup provider CodeGuard.
More than 10,000 of these plugins concealed their presence on the internet by utilising webshells and code obfuscation.
The researchers also discovered over 6,000 plugins that impersonated benign plugins available on legitimate marketplaces while offering website owners a trial period.