This Fake WordPress Plugin Can Give Hackers Full Access to Your Site

There’s new malware on the internet that disguises itself as a legitimate WordPress plugin. But in reality, it’s tricking website owners and giving full access to hackers. The malware was first identified by the Wordfence Threat Intelligence team and can hide from dashboards, execute remote code, inject malicious ads, and even reinstall itself if deleted.

Hidden in Plain Sight

The malware was first spotted in January 2025 by a Wordfence analyst during a routine site cleanup. It posed as a regular plugin, which often named things like WP-antymalwary-bot.php or wp-performance-booster.php, which was a normal-looking code structure, and even a plugin header appeared legitimate. But behind the scenes, it was anything but harmless.

Once installed, it allows attackers to log in as admin without detection, infects WordPress theme files with malicious JavaScript, and spreads to other parts of the site. It also hides from the plugin list in the dashboard, making it almost impossible to spot at first glance.

Persistent and Evolving

The worst part about this malware is that it can come back even if the plugin has been removed from the website. The attackers use a modified version of WordPress’s wp-cron.php file to reinstall the plugin during the next visit to the site. According to Wordfence, this makes the malware persistent and difficult to clean without a full investigation.

Moreover, in recent variants, the malware has evolved to communicate with a Command & Control (C&C) server located in Cyprus. It sends back information like the website’s URL and timestamps, allowing attackers to monitor and manage infected sites remotely.

Possible Signs of Infection

Wordfence listed a few red flags for site owners to check:

Suspicious plugin names like addons.php, scr.php, or wpconsole.php.
Unusual entries in access logs mentioning emergency_login.
Changes in wp-cron.php or theme header files.
Outbound connections to IP address 45.61.136.85.

Bottom Line: If you run a WordPress site, check your plugin directory and core files for anything unusual. Make sure you’re using up-to-date security tools, and monitor your logs for suspicious activity.

Keval Vachharajani
Reporter
- LinkedIn
Keval Vachharajani is a seasoned business tech journalist with over five years of experience covering technology for renowned publications. Now, he brings his expertise to the dynamic world of B2B. At Geekflare, Keval focuses on uncovering the latest developments in SaaS, delivering in-depth news, analysis, and insights to empower businesses and professionals.