Get Started
Blog

Fake WordPress Security Plugin Grants Hackers Remote Admin Access

malware
Share:
Facebook
X
LinkedIn
Reddit
WhatsApp
Email
Print

A new malware campaign targeting WordPress sites has been uncovered, disguising itself as a legitimate security plugin named “WP-antymalwary-bot.php,” among other aliases, according to a report by The Hacker News. First detected in January 2025 by Wordfence researchers during a site cleanup, this sophisticated malware grants attackers remote admin access, posing a severe threat to WordPress site owners.

Details of the Malware Campaign

The malicious plugin, which also appears under names like “addons.php,” “wpconsole.php,” “wp-performance-booster.php,” and “scr.php,” is designed to blend seamlessly into a WordPress environment. Once installed and activated, it provides cybercriminals with a range of dangerous capabilities:

  • Remote Admin Access: The plugin grants attackers full administrator access to the WordPress dashboard, allowing them to control the site.
  • Remote Code Execution: It leverages the WordPress REST API to inject malicious PHP code into the site’s theme header file or clear caches of popular caching plugins.
  • Persistence Mechanisms: A tampered “wp-cron.php” file ensures the malware is recreated and reactivated on the next site visit, even if removed from the plugins directory.
  • Ad Injection: The malware injects malicious JavaScript to serve unwanted ads, potentially stealing ad revenue from site owners using platforms like Google AdSense.
  • Command-and-Control (C&C) Communication: It pings a C&C server, likely located in Cyprus, to report infections and receive further instructions.

Newer variants of the malware have evolved, fetching JavaScript from compromised domains to deliver ads or spam. Russian-language comments in the code suggest that the perpetrators may be Russian-speaking, though the exact infection vector—possibly compromised hosting accounts or FTP credentials—remains unclear.

The Broader Threat Landscape

This campaign is part of a larger wave of attacks targeting content management systems. The Hacker News report also highlights a Sucuri investigation into a web skimmer campaign using a fake domain, “italicfonts[.]org,” to steal payment information via fraudulent checkout forms on Magento e-commerce sites. Additionally, attackers have been observed injecting Google AdSense code into WordPress sites and deploying deceptive CAPTCHA verifications that install Node.js-based backdoors, as noted by Trustwave SpiderLabs.

These incidents underscore the growing sophistication of cybercriminals, who exploit trusted platforms to deliver malware, steal sensitive data, and generate illicit revenue. WordPress, powering over 40% of websites, remains a prime target due to its widespread use and reliance on plugins.

How Soluify® Protects Your WordPress Site

Soluify® offers robust cybersecurity solutions to safeguard WordPress sites from threats like this fake security plugin. Our tools are designed to detect, prevent, and mitigate such attacks, ensuring your site remains secure. Key protections include:

  • Advanced Malware Scanning: Soluify®’s AI-powered scanners detect malicious plugins and files, including those disguised as legitimate tools, before they can cause harm.
  • Real-Time Threat Monitoring: Our systems monitor your site for suspicious activity, such as unauthorized admin access or code injections, and respond instantly.
  • Web Application Firewall (WAF): Soluify®’s WAF blocks malicious traffic and prevents exploits targeting REST APIs or vulnerable plugins.
  • Secure Backup and Recovery: Automated, encrypted backups allow you to restore your site to a clean state if an attack occurs, minimizing downtime and data loss.

What You Can Do to Stay Safe

To protect your WordPress site from this and similar threats, consider these steps:

  1. Install Plugins from Trusted Sources: Only download plugins from the official WordPress Plugin Repository or reputable developers.
  2. Regularly Update Software: Keep WordPress core, themes, and plugins updated to patch known vulnerabilities.
  3. Monitor for Suspicious Activity: Use security plugins like Wordfence or Sucuri to scan for malware and track unauthorized changes.
  4. Enable Two-Factor Authentication (2FA): Add an extra layer of security to your admin accounts to prevent unauthorized access.

The fake WordPress security plugin campaign is a stark reminder of the need for vigilance in managing website security. Soluify® is committed to helping you stay ahead of such threats. For more information on our cybersecurity solutions, visit www.soluify.com.

Source:
https://thehackernews.com/2025/05/fake-security-plugin-on-wordpress.html

About Soluify®
Soluify® is a leading provider of cybersecurity solutions, empowering businesses to protect their digital assets with advanced, AI-driven tools tailored to their needs.

Follow Us
Facebook Youtube Instagram Tiktok
Table of Contents
Subscribe to our newsletter
Subscription Form
Latest News
Other News