Sneaky WordPress Malware Disguised as Anti-Malware Plugin

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides itself, and even modifies core files like wp-cron.php for persistence. Stay protected.

Security researchers at Wordfence recently uncovered a tricky piece of malware targeting WordPress websites. This malicious software is designed to look like a genuine anti-malware plugin, often appearing in the file system with names such as ‘WP-antymalwary-bot.php’.

According to Wordfence Threat Intelligence Team’s technical blog post, this fake plugin contains several dangerous capabilities. Such as, it allows attackers to control an infected website, hide from the WordPress admin dashboard, and execute malicious code remotely. It also has a “pinging” function that sends information back to a C&C server, spreads into other directories, and injects harmful JavaScript, which is then used to display unwanted advertisements.

Further analysis revealed that the malware uses a check_plugin GET parameter for status checks and, more dangerously, an emergency_login GET parameter for immediate admin access by providing a password. It also uses the REST API for remote code execution via a POST request to execute_admin_command, enabling cache clearing or injecting PHP code into theme headers. The hide_plugin_from_list function conceals it from the admin dashboard.

The malware often comes with a modified wp-cron.php file that can reactivate the plugin if removed, meaning even if the plugin file is deleted, the malicious code in wp-cron.php can reinstall it upon the next site visit, ensuring persistence.

An updated version reports to a C&C server (45.61.136.85) and differently handles code injection by fetching from a foreign ads.php file and injecting JavaScript into the header. It also stores ad server URLs, anticipating future use.

Initial infection likely occurs via wp-cron.php, possibly through compromised hosting or FTP credentials. The malware has been seen under names like WP-antymalwary-bot.php and addons.php.

According to the company’s blog post, the issue was discovered on January 22, 2025, during a website cleanup performed by a Wordfence security analyst after which a specific malware signature (a unique identifier for the malicious code) was released.

Since then, many new versions of this malware have emerged, but Wordfence confirms that their original signature from January is still effective at detecting them. To provide an extra layer of security, a firewall rule (a set of instructions to block malicious activity) was released on April 23, 2025, for Wordfence Premium, Care, and Response users, preventing the execution of the malware file. Free Wordfence users will receive this additional protection on May 23, 2025.

This WordPress malware, cleverly disguised as a security plugin, demonstrates the persistent and increasingly sophisticated threats targeting website owners. Its advanced persistence mechanism makes thorough cleanup crucial for affected websites. Lastly, website owners are strongly advised to stay informed about emerging threats, utilize reputable security plugins, and ensure timely updates to protect their sites effectively.