Wordfence published its 2024 WordPress security report, revealing a malware variant disguised as a normal plugin (‘WP-antymalwary-bot.php'), allowing attackers to maintain site access, hide the plugin, and execute remote code. Detected on January 22, 2025, it was swiftly addressed with a malware signature and later a firewall rule for premium users. The malware can log administrators in, execute commands via REST API, and reinfect sites using modified wp-cron.php. Indicators of compromise include C&C server pings and modified theme files. This malware indicates a trend towards AI-generated threats.
Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
