Cybersecurity News: Malicious WordPress Plugin Grants Hackers Full Control

A recent cybersecurity alert has unveiled a sophisticated malware campaign targeting WordPress websites. Disguised as a legitimate security plugin named "WP-antymalwary-bot.php," this malicious software grants attackers unauthorized administrative access, enabling them to execute remote code, inject unwanted advertisements, and maintain persistent control over compromised sites. Notably, the malware employs stealth techniques to evade detection, including hiding from the admin dashboard and reactivating itself if removed. The campaign, active since January 2025, underscores the critical need for vigilant plugin management and robust security practices among WordPress site administrators.

Stealthy Infiltration and Persistence

First identified during a site cleanup in January 2025, the malware employs several tactics to evade detection and ensure longevity:

• Dashboard Concealment: The plugin hides itself from the WordPress admin dashboard, making it less likely for administrators to notice its presence.

• Automatic Reactivation: If the plugin is removed, a modified wp-cron.php file re-creates and reactivates it upon the next site visit.

• Alternate Identities: The malware may appear under different filenames, such as addons.php, wpconsole.php, wp-performance-booster.php, and scr.php.

Malicious Activities and Impact

Once active, the plugin enables attackers to:

• Execute Remote Code: Leverage the REST API to inject malicious PHP code into theme files or clear caches of popular plugins.

• Inject Advertisements: Insert Google AdSense code into various site locations, redirecting ad revenue to the attackers.

• Spread Malware: Propagate malicious code to other directories within the site.

• Communicate with C&C Servers: Use pinging functions to report back to command-and-control servers, facilitating further malicious activities.

Indicators of Compromise

Administrators should be vigilant for the following signs:

• Unfamiliar Plugins: Presence of plugins with suspicious names like WP-antymalwary-bot.php or its variants.

• Modified Core Files: Changes to wp-cron.php or unexpected scripts in theme header files.

• Unexpected Advertisements: Sudden appearance of ads or redirects not configured by the site owner.

Recommended Actions

To mitigate the threat and secure WordPress sites:

1. Audit Plugins: Regularly review installed plugins and remove any that are unrecognized or unnecessary.

2. Monitor File Changes: Use security plugins to detect unauthorized modifications to core files.

3. Update Regularly: Ensure WordPress (all plugins, themes, etc.) are using the latest security patches.

4. Implement Security Measures: Utilize firewalls, malware scanners, and intrusion detection systems to protect against threats.

5. Educate Administrators: Train site managers to recognize phishing attempts and the importance of verifying plugin sources.

By staying informed and proactive, WordPress site administrators can defend against such sophisticated malware campaigns and maintain the integrity of their websites.

Source: The Hacker News