New WordPress Malware Masquerades as Plugin
A dangerous malware variant disguised as a legitimate WordPress plugin has been uncovered by security researchers.
The malware, named “WP-antymalwary-bot.php,” gives attackers persistent access to infected websites, injects malicious code and can serve remote advertisements to site visitors.
Disguised Plugin Enables Remote Code Execution
Discovered by the Wordfence Threat Intelligence team during a routine site cleanup on January 22 2025, the malware mimics the structure of a genuine plugin, complete with standard formatting and metadata.
However, it includes several backdoor functions that make it especially dangerous. Among these, an emergency_login_all_admins function allows threat actors to log in as administrators using a GET request and a hardcoded password.
Another function, execute_admin_command, accepts commands through the REST API and executes them without permission checks, letting attackers inject PHP code into theme headers or clear plugin caches.
Malware Maintains Persistence Through Cron Job
Perhaps most concerning is the self-replicating nature of the plugin.
If deleted, it reinstalls itself through a modified wp-cron.php file. This file runs when the site is visited, making it a stealthy reinfection vector. It writes the malicious plugin back into the system and activates it automatically.
The malware also communicates with a command-and-control (C2) server hosted in Cyprus, pinging it every minute with the infected site’s URL and timestamp.
This reporting function is scheduled using WordPress’s built-in scheduler – an unusual but telling tactic for maintaining a database of compromised sites.
Indicators of Compromise and Infection Prevention
According to Wordfence, the main indicators of compromise of WP-antymalwary-bot.php include:
- Unexpected GET requests with check_plugin or emergency_login
- Modified wp-cron.php files
- Injections into theme header.php files
- JavaScript ads inserted via base64-decoded URLs
Recent variants show increased sophistication. They allow for dynamic updates of ad-serving URLs, though some implementation remains incomplete. These updates suggest active development and potential future refinements.
To reduce the risk of infection from such threats, site administrators should regularly audit installed plugins and themes, remove unused or suspicious files and monitor for unauthorized changes.
Ensuring file integrity, disabling direct file editing and using strong admin credentials and multi-factor authentication (MFA) can also significantly improve a site’s resilience against malware.
Routine off-site backups and a dependable security plugin or firewall are also strongly recommended to detect and block emerging threats.
Image credit: Primakov / Shutterstock.com