Do Son 
One of the most prevalent attack vectors targeting WordPress involves disguising malicious code as a harmless plugin. Yet in this case, the malware ventured far beyond conventional deception. The Wordfence team uncovered a striking example of a malicious plugin that, outwardly indistinguishable from standard administrative tools, in reality granted attackers full control over the compromised site.
The plugin, named WP-antymalwary-bot.php, infiltrated the website as a PHP file and immediately concealed itself from the administrator’s view — it did not appear in the dashboard. Beneath this cloak, however, lay a comprehensive arsenal of capabilities: remote code execution, authentication bypass, injection of malicious JavaScript, theme file overwrites, and even self-replication. If deleted, the plugin would automatically reinstall itself upon the next visit to the site, leveraging a compromised wp-cron.php file — the very component WordPress uses to schedule background tasks.
Most alarming was the presence of an “emergency login” function. With a single GET request and a predefined password, an attacker could silently gain access to the first available administrator account. The intrusion occurred discreetly, though traces remained in the logs — a clue that eventually led researchers to uncover the anomaly.
The infection began with wp-cron.php, after which the malicious code rapidly proliferated: the plugin injected arbitrary PHP code into the header.php files of all active themes, cleared caches, and regularly pinged a command-and-control server hosted at IP address 45.61.136.85. This connection allowed attackers to maintain a registry of infected websites and potentially orchestrate them in real time.
In its latest variant, the malware acquired additional capabilities — such as using WordPress’s internal scheduler to facilitate periodic data exchanges with the C2 server. Moreover, it learned to retrieve JavaScript payloads from other compromised sites and embed them into HTML pages, thereby rendering detection significantly more difficult.
Researchers were particularly struck by the sophistication of the code: neatly structured, with clean indentation and descriptive comments. It resembled not an amateur hack, but an almost legitimate plugin. Such refinement has previously been observed in attack chains involving AI-generated malicious code. The new plugin exhibits similar traits — including partially implemented functions and a modular architecture designed for future evolution.
The malicious code appeared under various aliases: addons.php, wpconsole.php, scr.php, wp-performance-booster.php, among others. Its presence could be identified through modifications to wp-cron.php, the appearance of the emergency_login parameter in server logs, and altered theme files.
The tale of this so-called “antivirus bot” for WordPress serves as yet another stark reminder: even plugins that appear legitimate can harbor serious threats — particularly when unverified and deployed on websites lacking robust security defenses.
