A dangerous new malware campaign is targeting WordPress websites by disguising itself as a harmless security plugin. Once installed, it silently gives hackers full control of the site while remaining hidden from the admin dashboard.

Researchers at Wordfence discovered the malware during a routine site cleanup in January 2025. They noticed a suspicious modification in the ‘wp-cron.php’ file—WordPress’s built-in task scheduler. This file had been changed to automatically install a fake plugin called ‘WP-antymalwary-bot.php’ whenever someone visited the site.

The plugin isn’t visible in the usual plugin list, making it hard for site owners to detect. Even if the plugin is deleted manually, the altered wp-cron.php file brings it right back during the next site visit.


Other fake plugin names used in the campaign include:

  • addons.php
  • wpconsole.php
  • wp-performance-booster.php
  • scr.php

So far, it’s unclear how the malware gets in. Wordfence suspects it might be through compromised hosting accounts or FTP credentials. There’s also evidence linking the attack to a possible supply chain breach from mid-2024. The command-and-control (C2) server used by the attackers is based in Cyprus.

Once installed, the malicious plugin performs a quick self-check and grants attackers admin access using a hidden function called emergency_login_all_admins. By passing a specific URL parameter and password, the attackers can log in as any admin user on the site—no need for actual login credentials.

From there, the plugin creates a custom REST API route that allows hackers to insert PHP code into WordPress theme files, wipe plugin caches, and run other commands remotely. The latest version of the malware also injects JavaScript code into the site’s <head> section—most likely to show ads, spam, or redirect visitors to harmful websites.

READ
Massachusetts Student Pleads Guilty to Hacking PowerSchool, Exposing Data of Over 60 Million Students

If you’re running a WordPress site, keep an eye out for:

  • Suspicious files like wp-antymalwary-bot.php, addons.php, or changes to wp-cron.php
  • Unexpected code in your theme’s header.php file
  • Logs showing keywords like emergency_login, check_plugin, urlchange, or key

These are strong signs your site may be compromised and should be investigated immediately.