Fake Security Plugin on WordPress Opens Backdoor for Attackers to Control Sites

Cybersecurity researchers have uncovered a new malware campaign targeting WordPress websites. In this campaign, attackers disguise malicious software as a legitimate security plugin.

The malware, posing as a plugin named “WP-antimalware-bot.php,” has features that allow it to maintain persistent access, evade detection in the admin dashboard, and execute remote code. According to a report by Wordfence’s Marco Wotschka, the plugin includes pinging functions that communicate with a command-and-control (C&C) server, spread malware to other directories, and inject malicious JavaScript used to serve unwanted ads.

Initially discovered in late January 2025 during a routine site cleanup, the malware has since evolved, with several variants surfacing under different names, such as:

• addons.php
  
• wpconsole.php
  
• wp-performance-booster.php
  
• scr.php

Once activated, the plugin grants attackers administrator access and leverages the WordPress REST API to inject malicious PHP code into theme header files remotely. It can also manipulate cache plugins to entrench itself further within the site.

A newer malware version fetches external JavaScript hosted on other compromised domains to deliver spam or ads. It’s often accompanied by a rogue wp-cron.php file, which automatically reinstalls the malware on the next site visit, even if it has been removed.

The method of initial compromise remains unclear, but Russian-language comments in the code suggest the attackers may be Russian-speaking.

This disclosure comes amid other troubling campaigns:

• Fake Font Skimmer: Sucuri has identified a skimming operation using a spoofed domain (italicfonts[.]org) to display counterfeit payment forms during checkout, capturing user data and transmitting it to an attacker-controlled server.
  
• Magento Attacks: Another sophisticated campaign targets Magento e-commerce sites using JavaScript malware hidden in fake GIF files. These files function as reverse proxies, collecting sensitive data like credit card info, login credentials, cookies, and more via tampered site traffic and browser session data.
  
• Ad Injection Campaign: At least 17 WordPress sites with injected Google AdSense code have been found. The goal: serve unauthorized ads and divert potential ad revenue from site owners to the attackers. “They’re essentially hijacking your ad income,” said security researcher Puja Srivastava.
  
• Deceptive CAPTCHA Attacks: Trustwave SpiderLabs has reported attackers using fake CAPTCHA prompts to trick users into downloading Node. JS-based backdoors. These malware variants collect system information, provide remote access, and tunnel traffic through SOCKS5 proxies. The campaign, linked to a traffic distribution system known as Kongtuke (also called 404 TDS, Chaya_002, LandUpdate808, and TAG-124), employs JavaScript-based backdoors capable of reconnaissance, command execution, and persistent access.

As these campaigns show, attackers are increasingly blending technical sophistication with deceptive social engineering to compromise websites, steal data, or monetize user traffic.