New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that masquerades as a legitimate plugin, often named ‘WP-antymalwary-bot.php.’

First detected on January 22, 2025, during a routine site cleanup, this malware exhibits advanced capabilities, enabling attackers to seize complete control over infected websites.

With features like remote code execution, hidden persistence mechanisms, and communication with a Command & Control (C&C) server, this threat poses a significant risk to WordPress site owners.

Premium Wordfence users received a malware signature to detect this threat on January 27, 2025, while free users gained access on February 26, 2025.

A firewall rule was later deployed to premium users on April 23, 2025, with free users scheduled to receive it on May 23, 2025.

Technical Breakdown of the Malware’s Functionality

This malware presents itself as a benign plugin with convincing headers and code formatting, evading casual detection.

It employs ...