This plugin targets WordPress sites by posing as a security tool: How to stay safe

A new and sophisticated malware attack is compromising WordPress websites by disguising itself as a security plugin. Security experts at Wordfence recently uncovered this threat, which uses convincing names and hidden functionalities to avoid detection while gaining persistent control over infected websites.

A deceptive plugin hiding in plain sight

The malicious tool, identified under names like “WP-antymalwary-bot.php”, mimics legitimate plugins and is programmed to hide itself from the WordPress dashboard. It includes functions to remotely execute code, reinfect deleted files, and even send signals to a Command & Control (C2) server hosted in Cyprus. The malware also injects malicious JavaScript into directories to display ads and spread further.

Researchers believe that Generative AI was used to develop the malware, enhancing its ability to appear authentic. This marks a shift in how attackers use AI—not just for automation, but to improve the legitimacy and stealth of their tools.

Infection and persistence mechanisms

The malware was first spotted during a routine site cleanup, where a modified “wp-cron” file was reactivating the plugin automatically. Even after removal, the malware regenerates itself using aliases like “wpconsole.php” or “wp-performance-booster.php”. Investigators suspect the initial breach may have occurred through compromised hosting credentials or FTP access.

Because of the lack of forensic logs, Wordfence could not trace the exact method of intrusion or identify the responsible attackers.

How to protect your WordPress site

Website administrators should regularly audit their file systems, disable unnecessary cron jobs, and use a trusted security plugin with active monitoring. It’s also crucial to change all FTP and hosting credentials immediately upon any sign of compromise.

Using AI against AI-powered threats may be the new norm, requiring admins to stay updated and vigilant.