Sophisticated WordPress Malware 'WP-antimalwary-bot.php' Threatens Sites Worldwide
Security experts have warned about a sophisticated WordPress malware, 'WP-antimalwary-bot.php', which has been infecting websites and causing concern among administrators. Disguised as a legitimate plugin, this malware poses a significant threat due to its persistent nature and advanced capabilities.
The malware, discovered in 2025, provides threat actors with persistent access to infected websites. It can inject malicious code and serve remote advertisements to site visitors, generating revenue for cybercriminals. What's more alarming is its ability to reinstall itself if deleted, using a modified wp-cron.php file, making it self-replicating and difficult to remove.
Security researchers have found that the malware communicates with a command-and-control server based in Cyprus. This server maintains a database of compromised sites, allowing threat actors to log in as administrators and inject PHP code, further expanding their control. Indicators of compromise include unexpected GET requests, modified wp-cron.php files, and injected ad URLs.
To prevent infections, site administrators are advised to implement strong security measures. Regularly auditing plugins and themes, removing unused files, and monitoring for unauthorized changes are crucial. Additionally, implementing file integrity checks, multi-factor authentication (MFA), and routine backups can significantly enhance website security.
The 'WP-antimalwary-bot.php' malware highlights the importance of proactive website security measures. With its sophisticated capabilities and persistent nature, it underscores the need for regular audits, strong security protocols, and vigilance against potential threats. As threat actors continue to develop more advanced malware, it is essential for administrators to stay informed and proactive in protecting their websites.
