Security researchers at Wordfence have discovered a new malware campaign that targets WordPress websites using a fake security plugin to gain full control over infected sites. The plugin appears to be legitimate, but silently installs a backdoor and gives attackers persistent access and the ability to run malicious code.
The plugin provides remote code execution, persistent admin access, and the ability to inject JavaScript into the site, without the website owner even noticing. It is a dangerous example of how attackers are now using more advanced methods to target even well-maintained WordPress sites.
The malware was first spotted during a site cleanup in late January 2025. Wordfence found that a modified wp-cron.php file was being used to create and automatically activate a malicious plugin named WP-antymalwary-bot.php. This fake plugin is not visible in the WordPress dashboard, making it difficult for users to detect and remove.
Other filenames used by the attackers include:
addons.phpwpconsole.phpwp-performance-booster.phpscr.php
Even if the plugin is deleted manually, the altered wp-cron.php file will recreate and reactivate it the next time someone visits the website.
While the exact method of infection is still unclear due to a lack of server logs, researchers believe the attackers may be compromising hosting accounts or stealing FTP credentials. The command and control (C2) server behind the campaign is located in Cyprus, and some aspects of the attack resemble a supply chain compromise from June 2024.
Once active, the plugin performs a status check and then uses a special function called emergency_login_all_admins to log the attacker in as an administrator. If the correct password is passed through a URL parameter, the function fetches the first admin account from the database and grants the attacker access.
The plugin also registers a custom REST API route that does not require authentication. This allows the attacker to:
- Inject PHP code into the
header.phpfile of active themes - Clear plugin caches
- Execute additional commands via POST requests
A newer version of the malware can also inject base64-decoded JavaScript into the <head> section of the site. This code may be used to show ads, redirect visitors, or serve other malicious content.
Website owners are advised to inspect the following:
- The
wp-cron.phpandheader.phpfiles for unexpected changes - Plugins with suspicious names like
addons.phporwpconsole.php - Access logs for terms like
emergency_login,check_plugin,urlchange, andkey
If any of these indicators are present, the site may be compromised and should be thoroughly checked and cleaned immediately.
What makes this threat alarming is how well it hides itself. A malicious plugin that does not show up in the dashboard and re-creates itself even after deletion is especially dangerous. The attackers are clearly skilled and focused on long-term access, not just quick damage.
Also, the fact that the malware might be getting in via compromised hosting or FTP credentials means the attack could bypass WordPress entirely. That should worry anyone who is not regularly monitoring their server-side files or logs.
Tips for WordPress Users
If you run a WordPress site, here are some steps you should take right away:
- Scan for Unusual Plugins: Check your
/wp-content/plugins/folder via FTP or file manager, not just the admin dashboard. - Inspect
wp-cron.php: Look for any unfamiliar code or functions. - Check Your
header.php: Look for any PHP or JavaScript code that should not be there. - Review Access Logs: If possible, search logs for suspicious terms like
emergency_login,check_plugin,urlchange, orkey. - Use Security Plugins You Trust: Stick to well-reviewed, widely used security plugins like Wordfence, Sucuri, or iThemes Security. Keep them updated.
- Change FTP and Hosting Passwords: If you suspect anything unusual, reset your credentials immediately.
- Regular Backups: Make sure you have recent backups stored offsite. This is your safety net in case your site gets fully compromised.
