A new malware campaign is exploiting a deceptive plugin disguised as a security tool to infiltrate WordPress websites. This malicious plugin tricks users into installing and trusting it, posing a significant security risk.
Researchers at Wordfence uncovered that the malware grants attackers persistent access to infected sites, enabling remote code execution and JavaScript injection into webpages. The plugin is designed to remain hidden from the standard plugin overview, evading detection by site administrators.
The threat was first identified in late January 2025 during cleanup operations on compromised sites. Analysts discovered a modified version of the wp-cron.php file, which automatically creates and activates a malicious plugin named WP-antymalwary-bot.php.
Multiple Malicious Plugin Files Involved
The campaign also involves other plugin files such as addons.php, wpconsole.php, wp-performance-booster.php, and scr.php. Even if administrators delete the malicious plugin, the wp-cron.php file recreates and reactivates it upon the next site visit.
Due to insufficient server logs, the exact infection vector remains unclear. Wordfence suspects the compromise occurred through stolen hosting accounts or FTP credentials.
Connection to Cyprus-Based Command and Control Server
Limited information is available about the perpetrators. However, the command and control (C2) server is located in Cyprus, and the attack shares characteristics with a supply chain attack that took place in June 2024.
Once activated, the plugin verifies its status and grants attackers administrator privileges. Wordfence explains this is achieved through a function that permits access to the admin dashboard using specific URL parameters and passwords. The plugin retrieves administrator accounts from the database and logs in as those users on behalf of the attacker.
The plugin then establishes an unauthenticated, dedicated REST API channel. This backdoor allows arbitrary PHP code injection into the active theme’s header.php file, cache clearing, and handling of additional commands via POST parameters.
Newer versions of the malware decode base64-encoded JavaScript and inject it into the website’s <head> section, likely aiming to display ads, spam content, or trigger malicious redirects to site visitors.
Recommendations for Website Administrators
Administrators are advised to monitor for suspicious modifications in wp-cron.php and header.php files, beyond just checking for dubious plugins. Server logs containing entries such as Emergency_login, Check_plugin, URLChange, or Key may also signal infection and warrant further investigation.
Related Topics
- Converting WordPress to a Static Website
- 10 Steps to Optimize WordPress Website Performance
- WordPress AI Team Shares Vision for AI’s Role in Web Publishing
