Malicious plugins that hide in plain sight and act as backdoors are used by attackers to gain and maintain a foothold on WordPress websites. The fake plugins are designed to stay out of sight until someone who knows it’s there wonders around. They can easily be created with the help of ready-made automated tools or by including malicious payloads such as web shells within the source code of legitimate ones. Researchers at web security and protection company Sucuri observed the attackers dropping web shells and scripts for brute-force attacks against other sites.
Source: https://www.bleepingcomputer.com/news/security/hackers-backdoor-sites-by-hiding-fake-wordpress-plugins/