Cybercriminals are getting more creative, especially when it comes to attacking WordPress. One of the most deceptive tactics involves disguising malware as a legitimate plugin. But this recent case, uncovered by the Wordfence team, took that tactic to a whole new level.
A fake plugin named “WP-antymalwary-bot.php” infiltrated sites as a simple PHP file. Once installed, it immediately vanished from the admin panel—completely invisible to site owners. Despite its quiet appearance, the plugin packed a dangerous toolkit: remote code execution, login bypass, JavaScript injection, theme file tampering, and even a self-repairing function. Delete it? No problem—it would reinstall itself the next time someone visited the site, thanks to a compromised wp-cron.php file.
Even more disturbing was the presence of an “emergency login” backdoor. With a single GET request and a known password, hackers could hijack the first admin account available—silent but not entirely clean, as traces lingered in the logs and eventually tipped off researchers.
How the Malicious WordPress Code Operated
The infection chain began with wp-cron.php, which the malware exploited to grow its influence. It injected arbitrary PHP code into every theme’s header.php, cleared caches, and maintained regular contact with its command and control server at 45.61.136.85. This connection enabled attackers to track and potentially control a network of infected sites in real time.
The malware evolved quickly. It used WordPress’ built-in scheduler to exchange data with its C2 server at set intervals. Worse yet, it harvested malicious JavaScript from other compromised sites and embedded it directly into HTML pages, spreading infection while staying under the radar.
Experts were especially surprised by how clean and well-organized the code was. It had proper formatting, clear descriptions, and looked almost like a real, legitimate plugin—not something slapped together. This kind of polished style has been seen before, especially in attacks using AI-generated code. The new plugin shared similar traits, like unfinished features and the ability to grow more powerful over time.
The malicious code showed up under different names, such as “addons.php”, “wpconsole.php”, “scr.php”, and “wp-performance-booster.php”. You can spot it by checking for changes in “wp-cron.php”, looking for the “emergency_login” parameter in logs, or noticing edits in theme files. Learn more about cybersecurity updates here.
