WordPress plugin disguised as a security tool injects backdoor

A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. According to Wordfence researchers, the malware provides attackers with persistent access, remote code execution, and JavaScript injection. At the same time, it remains hidden from the plugin dashboard to evade detection. Wordfence first discovered the malware during a site cleanup in late January 2025, where it found a modified 'wp-cron.php' file, which creates and programmatically activates a malicious plugin named 'WP-antymalwary-bot.php.' Other plugin names used in the campaign include: addons.php wpconsole.php wp-performance-booster.php scr.php If the plugin is deleted, wp-cron.php re-creates and reactivates it automatically on the next site visit. Lacking server logs to help identify the exact infection chain, Wordfence hypothesizes the infection occurs via a compromised hosting account or FTP credentials. Not much is k ... Read full article.