Newly Discovered Malware Poses Significant Threat to WordPress Sites
In a concerning revelation by security researchers, a dangerous malware variant disguised as a legitimate WordPress plugin has been brought to light. The malware, dubbed “WP-antymalwary-bot.php,” gives attackers persistent access to compromised websites while also injecting malicious code. This level of access not only jeopardizes the integrity of the sites but also allows for the insertion of remote advertisements aimed at unsuspecting visitors.
Disguised Plugin Enables Remote Code Execution
The Wordfence Threat Intelligence team uncovered this malware during a routine cleanup on January 22, 2025. What makes this exploit especially insidious is its ability to mimic the structure of a genuine WordPress plugin, complete with the standard formatting and metadata that users expect. However, beneath this facade, the malware is equipped with multiple backdoor functions that greatly enhance its threat level.
Among these backdoor features is an emergency_login_all_admins function, which enables cybercriminals to gain administrative access to the infected website. This is achieved through a simple GET request combined with a hardcoded password, eliminating the need for traditional authentication, thereby significantly lowering the barrier for entry.
In addition to this alarming capability, the malware features an execute_admin_command function, which allows unauthorized commands to be executed via the REST API. This function is particularly dangerous as it does not carry out standard permission checks, granting attackers the ability to insert malicious PHP code directly into theme headers or clear caches for plugins, potentially wreaking havoc on the site’s functionality.
Malware Maintains Persistence Through Cron Job
Perhaps the most alarming aspect of this malware is its self-replicating behavior. If site administrators attempt to remove the malicious plugin, it quickly reinstalls itself using a modified version of the wp-cron.php file. This WordPress file is triggered to run whenever the site is visited, providing an effective stealth mechanism for re-infection. By writing the malware back into the system with each site visit, it not only reinforces its presence but also automatically activates, making eradication exceedingly challenging.
In addition, this malware communicates with a command-and-control (C2) server based in Cyprus. It pings the server every minute with the infected site’s URL and the current timestamp, along with other vital data. This reporting function relies on WordPress’s built-in scheduling system, a tactic that highlights the malware’s sophisticated approach to maintaining a comprehensive database of compromised sites.
Indicators of Compromise and Infection Prevention
Wordfence has identified several key indicators of compromise concerning the WP-antymalwary-bot.php. These include:
- Unexpected GET requests containing terms such as ‘check_plugin’ or ’emergency_login’
- Modifications to the wp-cron.php file
- Injections of malicious code into theme header.php files
- Instances of JavaScript ads inserted via base64-decoded URLs
Recent iterations of this malware have shown further sophistication. They now allow dynamic updates of ad-serving URLs, indicating that the malware is still actively being developed and refined, posing an evolving threat to WordPress users.
To safeguard against potential infections from such advanced threats, WordPress site administrators are encouraged to conduct regular audits of installed plugins and themes. They should promptly remove any files that are either unused or appear suspicious. Continuous monitoring for unauthorized changes is also recommended to catch any anomalies early on.
Moreover, maintaining file integrity is crucial. Disabling direct file editing and using robust administrative credentials alongside multi-factor authentication (MFA) can significantly bolster a site’s defenses against intrusions.
Implementing routine off-site backups, along with the use of reliable security plugins or firewalls, is also strongly advised. These measures not only enhance security but also enable users to detect and block emerging threats before they can escalate into significant breaches.
As the threat landscape for WordPress continues to evolve, staying informed and vigilant against such sophisticated malware attacks is essential for ensuring the safety and integrity of websites.