Recently, malware that alters the JAVASCRIPT file of WordPress and uses it as a parasite to display a fake login screen and steal login information has been spreading.


Fake login screen with parasitic WordPress JAVASCRIPT and header

This type of malware embeds malicious JAVASCRIPT code (a script language that runs in the browser) in the WordPress JQUERY or theme header and footer, and pulls images and CSS from various sites or official sites to display a fake login screen The fake login screen looks exactly the same as the real login screen.
As far as we have been able to ascertain, we have found scripts that produce login screens for Google, Microsoft, Facebook, and various banks. (However, we did not see any login screens for Japanese banks or services.)

If a user accidentally logs in from this screen, the login is not enabled, but the login information is sent to the hacker via email, compromising the user’s login information.

Phishing that displays a fake page

This type of malware that deceives by displaying fake pages to users is called phishing.
The malware itself is obfuscated as shown below so that it is not obvious at a glance how it works or where login information is sent.

What if I start seeing a fake login screen on my WordPress site?

Use the malware inspection plugin to inspect and remove malware.

Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Other security measures may also need to be taken, as there is a high possibility that some security hole exists in the site that allowed this malware to be embedded in the site.

Reference
Five WordPress security measures

In addition, it may be difficult to find and remove this malware with plug-ins alone, because the embedding location may be in a very deep hierarchy, or there may be another backdoor that generates this JAVASCRIPT.

In such cases, we recommend that you consult a specialist.