Posts about server, application, and WordPress security — incident response, hardening, audits.
If a WordPress site of yours has been compromised — even briefly, even silently — there’s a very good chance it now has at least one administrator account that you didn’t create. Most WP malware families plant one as part …
Every WordPress site running with default config is being hammered right now by brute-force scripts hitting xmlrpc.php and wp-login.php. If you run multiple sites on a single OpenLiteSpeed (LSWS) box, dropping a per-site .htaccess rule on each one is …
For internet-facing domains, Let’s Encrypt is the right answer. But the moment you have a homelab service running on a .local domain, on a private subnet, or behind Tailscale — Let’s Encrypt either doesn’t work (HTTP-01 needs public reachability) or …
If you run more than one WordPress site on a single server and every wp-config.php has DB_USER = 'root', your eight sites are effectively one site as far as a compromise is concerned. One vulnerable plugin on any of …
Open /var/log/auth.log on a public-facing server and you’ll see thousands of lines per day — failed logins, accepted logins, sudo events, cron registrations. The signal you usually care about (who’s brute-forcing me, from where, against which users?) is buried in …
By default every WordPress install since 4.7 leaks usernames over a public, unauthenticated REST endpoint. Anyone — no login, no auth header, just a browser — can hit https://yoursite.com/wp-json/wp/v2/users and get a JSON array of every user the site considers …
You manage five servers. Each has a different SSH key in ~/.ssh/authorized_keys from the day you set it up — one’s an old id_rsa from 2018, two have your laptop’s current ed25519 key, one has an ancient ECDSA key from …
You sit down at a coffee shop, click the Wi-Fi prompt, and accept the captive portal. Your laptop is now on a network where the person at the next table can run tcpdump on the SSID and see your unencrypted …
You wrote a deploy script. It SSHes into 12 servers, runs an update, comes home. The first time you run it on a fresh laptop, every server prompts: The authenticity of host ‘203.0.113.x’ can’t be established. Continue connecting (yes/no/[fingerprint])?. …
You’ve been paying $40/year for a Bitwarden family plan, or $36/year for an individual one. The product is excellent — there’s nothing wrong with what they’ve built. But you also have a $5/month VPS that’s already running a couple of …