Fake WordPress security alerts are being used to send malware

Security firms Wordfence and PatchStack have warned WordPress admins about phishing emails that impersonate the legitimate WordPress.com site and trick victims into installing a malicious plugin. The “plugin” reportedly exfiltrates website data, downloads a backdoor and remains hidden on the site’s root directory.