Security researchers at Wordfence have uncovered a dangerous malware campaign targeting WordPress websites.

Disguised as a legitimate anti-malware plugin with names like WP-antymalwary-bot.php, the malicious software grants attackers backdoor access, hides itself from the WordPress admin dashboard, and remotely executes harmful code. It communicates with a command-and-control server, spreads through directories, and injects unwanted JavaScript ads, all while appearing as a standard plugin.

The malware uses parameters like check_plugin and emergency_login for stealthy monitoring and admin access, even allowing remote command execution through the REST API. Its persistence is especially alarming—it often modifies core files like wp-cron.php, ensuring it can reinstall itself even if removed. Some versions report back to a foreign server and inject JavaScript fetched from external sources, with ad URLs stored for future misuse.

Originally discovered on January 22, 2025, the malware was flagged during a site cleanup by Wordfence analysts. A detection signature was released immediately and remains effective, with a dedicated firewall rule rolled out to Wordfence Premium, Care, and Response users on April 23. Free users will receive the update on May 23. Website owners are urged to stay vigilant, use reputable security tools, and regularly update their systems to mitigate such evolving threats.