WordPress Archives | Animated Creativity

The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk

April 22, 2026 by admin

One of the most common WordPress malware patterns I’ve cleaned in the last two years isn’t a webshell or a credential stealer — it’s a “fake plugin” or “fake theme.” The attacker creates a directory in wp-content/plugins/ or wp-content/themes/ with …

The one SQL query that catches almost every backdoor admin in WordPress

November 24, 2025 by admin

Close-up of WordPress JavaScript source code displaying themes:update functions and wp.updates handlers — typical view when auditing WordPress code (photo: Markus Spiske / Pexels)

If a WordPress site of yours has been compromised — even briefly, even silently — there’s a very good chance it now has at least one administrator account that you didn’t create. Most WP malware families plant one as part …

Block xmlrpc.php and hide wp-login.php server-wide on OpenLiteSpeed

November 21, 2025 by admin

Rack of running 1U servers in a data center, multi-color network cables

Every WordPress site running with default config is being hammered right now by brute-force scripts hitting xmlrpc.php and wp-login.php. If you run multiple sites on a single OpenLiteSpeed (LSWS) box, dropping a per-site .htaccess rule on each one is …

Get WordPress off MySQL root: per-site users in one Python loop

September 6, 2025 by admin

A single key resting in a locker door, symbolizing per-site database credentials with no shared master key (photo: Jakub Zerdzicki / Pexels)

If you run more than one WordPress site on a single server and every wp-config.php has DB_USER = 'root', your eight sites are effectively one site as far as a compromise is concerned. One vulnerable plugin on any of …

Block WordPress REST API user enumeration without breaking the admin

August 7, 2025 by admin

Close-up of JavaScript code showing ajaxTransport, encodeURIComponent, and readyState functions — typical view of REST API client code (photo: Markus Spiske / Pexels)

By default every WordPress install since 4.7 leaks usernames over a public, unauthenticated REST endpoint. Anyone — no login, no auth header, just a browser — can hit https://yoursite.com/wp-json/wp/v2/users and get a JSON array of every user the site considers …

Recovering a malformed wp_options.active_plugins: the SQL REPLACE() trap and how to rebuild

January 2, 2025 by admin

A nearly-complete white jigsaw puzzle with one piece sitting outside its slot, exposing the blue surface beneath — visual metaphor for one wrong byte breaking the whole serialized array (photo: Mike Van Schoonderwalt / Pexels)

You have a WordPress site that’s returning HTTP 200, the homepage renders, but something’s quietly off. WooCommerce features aren’t loading. LiteSpeed Cache settings page is empty. The Mailpoet sender isn’t sending. None of these would normally fail at the same …

The wp_options.siteurl hijack: how a one-row UPDATE redirects every visitor and how to spot it before Google does

December 27, 2024 by

Metal directional arrow plate on a wooden floor — photo by Max Laurell on Pexels

One of the simplest, oldest, and still most effective WordPress compromises is a single SQL update. The attacker gets one query into your database — through any RCE, SQLi, or stolen-credential path — and runs:

UPDATE wp_options
   SET option_value =

…

nginx vs Caddy vs OpenLiteSpeed for a single-VPS WordPress setup: when each makes sense

November 29, 2024 by admin

Close-up of a server rack with networking cables — photo by Josh Sorenson on Pexels

You’re spinning up a $5/month VPS to host one or two WordPress sites. The web server choice is one of the early decisions that’s hard to undo later because the rest of your config — vhost files, cache layer, TLS …

Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet

November 27, 2024 by admin

Computer monitor displaying terminal output: system metrics, file listings, and kernel error messages — typical sysadmin view (photo: Tima Miroshnichenko)

wp-content/uploads/ is the most predictable target on a WordPress install. It’s writable by the web server (so any compromise that gets a file uploaded lands here), it’s almost never inspected by malware scanners with the same vigilance as wp-includes/, …

The .hph extension trick: how WordPress malware survives cleanups by shadowing .php files

October 19, 2024 by admin

Four nearly identical white binders standing in a wooden box, suggesting how easy it is to overlook a slightly differently-named file in a directory listing (photo: Mateusz Dach / Pexels)

You clean a WordPress malware infection. You find every .php file with the suspicious signature, quarantine it, restore from backup, harden the site. Three weeks later the same backdoor is back. Same filename, same content, same behavior. You’re sure you …