There is currently a phishing scam targeting WordPress users. It involves an email indicating that you have a vulnerability on your WordPress site and leads you to download a patch plugin for the vulnerability. The plugin, however, installs a backdoor exploit that hackers can use to gain access to your site.
Wordfence has a complete article with details on the plugin, the exploit, detection, and mitigation.
I would say that the best offense is a good defense. In other words, don’t download the scam to begin with. But this one is a dangerous one because it looks legit and could fool even seasoned WordPress admins – which is why I’m adding this PSA to my site – the more people that are aware, the (hopefully) fewer people that will be affected.