Plugin installed by hacker

Hi @pat1701,

There’s two potentials here:

1. Whatever you use for WordPress updates is re-installing the plugin.
2. A malicious plugin is being installed and pretending to be Hello Dolly.

Because WordPress includes Hello Dolly by default, some WP management tools do automatically re-install it, however, WordPress itself does not re-install it if you remove it.

Because it’s included by default in WordPress, many malicious actors may install a malicious plugin and set it’s name to Hello Dolly to disguise it on your site. In other words, the plugin you see installed may not actually be Hello Dolly.

If you’re finding the plugin constantly re-installed, and there’s a chance that it may not be the Hello Dolly plugin, you should treat your site as infected by malware / hacked and run through the appropriate steps. Simply removing the plugin is unlikely to remove the infection, nor would it remove the way that they’ve got control over the website.

The below article may help with direction on scanning and cleaning up any infection.

FAQ My site was hacked

Hi, Dion Hulse, thanks for your reply.
I’ll read the article and follow the instructions.
The next time I see the plugin installed on my site, I’ll check if there’s a link to the plugin page – if there isn’t, it’s fake!
I’ll report any news here. I sent here a message because I thought it was important for you to know what’s going on.
One site even had 2 Hello Dollys installed! I’ve never seen that!
Have a nice week.