Fake plugin attacks are targeting WordPress sites again. Hackers are disguising malware as a security plugin to hijack admin control and spread threats.
Researchers found the plugin named WP-antymalwary-bot.php. It grants attackers full access, hides from the dashboard, and executes remote commands. Therefore, it allows them to control the site without detection.
The plugin connects to a remote command server. It spreads itself across directories and injects malicious JavaScript to deliver spam ads. For example, it can fetch new scripts from compromised sites and show pop-up ads to visitors.
Several names have been used for this malware. Some common aliases include addons.php, wpconsole.php, and wp-performance-booster.php. Once installed, the plugin manipulates the REST API to inject harmful PHP into site themes or clear plugin caches.
However, the threat doesn’t stop there. The attackers also plant a fake wp-cron.php file. If a site owner removes the plugin, this file reinstalls it on the next visit.
Reports suggest Russian-speaking actors may be behind the campaign. Though the entry point remains unknown, the plugin’s behavior clearly aims to maintain long-term access and generate revenue.
More Attacks Targeting WordPress and E-commerce Sites
At the same time, other attackers are using fake domains and scripts to target e-commerce platforms. For instance, one campaign uses a fake fonts site to steal payment information during checkout. A reverse proxy, disguised as a GIF image, collects credit cards, cookies, and login details.
Another group has been injecting Google AdSense code into sites. This tactic redirects ad revenue to attackers. If your site runs ads, they could be stealing your income.
Some campaigns even use fake CAPTCHAs. These trick users into downloading Node.js-based malware. Once installed, it gives attackers deep control through a remote access trojan.
How to Prevent These WordPress Attacks
To protect your WordPress site, keep all plugins and themes updated. Avoid installing unknown plugins, especially from outside the official directory.
Also, scan your site regularly for malware. For example, use security tools that check file integrity and look for suspicious PHP scripts.
Finally, disable unnecessary REST API access and limit admin rights. Strong passwords and multi-factor authentication help too. A few steps now can stop major damage later.
Sleep well, we got you covered.
