WordPress malware campaign disguised as legitimate Security Plugin
Take action: It seems this attack can't simply be patched because it's uploaded after credentials compromise. But it's wise to take a quick look for "emergency_login" in the log files, and anything weird in the wp-cron.php file or in the theme header.php files. And make sure to use complex and unique credentials to your site admin, hosting and SFTP credentials.
Learn More
Wordfence security researchers have discovered a malware campaign targeting WordPress websites by disguising malicious code as a legitimate security plugin. The campaign was first identified during a site cleanup on January 22, 2025.
The malware is not named, but appears in the file system as a normal WordPress plugin, often named 'WP-antymalwary-bot.php', but has also been observed using other names such as:
- addons.php
- wpconsole.php
- wp-performance-booster.php
- scr.php
The malicious plugin contains functions that allow attackers to maintain persistent access to compromised sites, hide itself from the WordPress dashboard, execute remote code via a custom REST API endpoint, inject malicious JavaScript into theme header files and communicate with a Command and Control (C&C) server that was identified to be hosted in Cyprus
The infection appears to begin with a compromised wp-cron.php file. Based on evidence gathered during site cleanups, Wordfence researchers believe the initial compromise likely results from compromised hosting account or FTP credentials.
If the plugin is deleted, a modified wp-cron.php file automatically recreates and reactivates it upon the next site visit. The plugin provides immediate administrator access via an "emergency_login_all_admins" function that processes a specific GET parameter with a hardcoded password. This function retrieves all administrator accounts, selects the first one, and logs the attacker in with full administrative privileges.
The plugin hides itself from the WordPress dashboard plugin list to avoid detection. The malware can inject base64-decoded JavaScript into the site's <head> section, likely used for displaying unwanted advertisements, redirecting visitors, or distributing additional malware.
Website owners should look for:
- Requests to the C&C server at IP address 45.61.136.85
- Presence of "emergency_login" parameter in access logs (particularly in successful requests)
- Modifications to wp-cron.php file
- Unexpected code in theme header.php files
- Access logs containing parameters like 'check_plugin', 'urlchange', and 'key'
The number of affected websites and the overall value of this malicious campaign are not disclosed in the available information.
