A new cybersecurity threat has emerged, targeting WordPress sites with a fake security plugin that allows attackers to gain remote administrative access. Disguised as a legitimate tool, this malware can execute remote code, inject malicious scripts, and maintain persistence even after attempts to remove it.

Key Takeaways

• The malware masquerades as a security plugin, often named WP-antymalwary-bot.php.

• It allows attackers to log in as administrators without detection.

• The plugin hides from the WordPress dashboard, making it difficult to identify.

• It can reinstall itself using a modified wp-cron.php file.

• Site owners are urged to monitor their plugins and logs for suspicious activity.

Overview Of The Malware

The malware was first identified by the Wordfence Threat Intelligence team during a routine site cleanup in January 2025. It poses as a benign plugin, often using names like , , or . Once installed, it provides attackers with full administrative access to the site, allowing them to execute remote code and inject malicious JavaScript into the site’s theme files.

How The Malware Operates

Upon installation, the malware employs several tactics to maintain control over the infected site:

1. Remote Code Execution: Attackers can execute arbitrary PHP code on the site, allowing them to manipulate site functionality.

2. Hidden Persistence: The malware modifies the wp-cron.php file to ensure it reinstalls itself if deleted. This means that even if site owners remove the plugin, it can reappear during the next site visit.

3. Communication with Command & Control Server: The malware pings a C&C server located in Cyprus, sending back information about the infected site, which helps attackers manage their control remotely.

Signs of Infection

Site owners should be vigilant for the following indicators of infection:

• Suspicious Plugin Names: Look for unusual names like scr.php or wpconsole.php in the plugin directory.

• Unusual Access Logs: Check for entries mentioning emergency_login or other suspicious activity.

• Modified Core Files: Inspect wp-cron.php and theme header files for unauthorized changes.

• Outbound Connections: Monitor for connections to known malicious IP addresses, such as 45.61.136.85.

Recommendations for Site Owners

To protect against this evolving threat, WordPress site owners should take the following steps:

• Regularly Update Security Tools: Ensure that security plugins and tools are up-to-date to detect and mitigate threats.

• Conduct Routine Site Audits: Regularly check the plugin directory and core files for any unauthorized changes or suspicious plugins.

• Monitor Logs: Keep an eye on access logs for any unusual activity that could indicate a breach.

• Implement Strong Security Practices: Use strong passwords, enable two-factor authentication, and limit user access to the admin dashboard.

As WordPress continues to be a prime target for cybercriminals, the emergence of this fake security plugin highlights the need for heightened vigilance among site owners. By staying informed and proactive, website administrators can better protect their sites from these insidious threats.

As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• This Fake WordPress Plugin Can Give Hackers Full…, inkl.

• Hackers Backdoor Sites by Hiding Fake WordPress Plugins, BleepingComputer.

• Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers, The Hacker News.

• New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites, GBHackers News.

• WordPress plugin disguised as a security tool injects backdoor, BleepingComputer.