Security Archives | Page 3 of 4 | Animated Creativity

The wp_options.siteurl hijack: how a one-row UPDATE redirects every visitor and how to spot it before Google does

December 27, 2024 by

Metal directional arrow plate on a wooden floor — photo by Max Laurell on Pexels

One of the simplest, oldest, and still most effective WordPress compromises is a single SQL update. The attacker gets one query into your database — through any RCE, SQLi, or stolen-credential path — and runs:

UPDATE wp_options
   SET option_value =

…

fail2ban vs CrowdSec on a small VPS: where the rule sets overlap, where they fight each other, and how to pick one without re-banning everything

December 25, 2024 by

Terminal screen showing system logs and security monitoring output — photo by Tima Miroshnichenko on Pexels

I’ve been running fail2ban on this Oracle box since the day I provisioned it. Six months ago I added CrowdSec because I wanted the community blocklist for SSH brute-force IPs. For three months they coexisted and I assumed it was …

Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet

November 27, 2024 by admin

Computer monitor displaying terminal output: system metrics, file listings, and kernel error messages — typical sysadmin view (photo: Tima Miroshnichenko)

wp-content/uploads/ is the most predictable target on a WordPress install. It’s writable by the web server (so any compromise that gets a file uploaded lands here), it’s almost never inspected by malware scanners with the same vigilance as wp-includes/, …

Hide the OpenLiteSpeed admin panel: bind 7080 to 127.0.0.1 + reach it via SSH tunnel

November 4, 2024 by admin

Linux ls -la output showing /bin, /boot, /etc, /home, /lib, /sbin and other root directories — typical first view after SSHing into a server (photo: Pixabay / Pexels)

OpenLiteSpeed’s admin panel runs on port 7080 by default and binds to *. That means anyone with your server’s IP can hit https://your-ip:7080/ and reach the admin login form. The form has authentication, sure — but having a login …

The .hph extension trick: how WordPress malware survives cleanups by shadowing .php files

October 19, 2024 by admin

Four nearly identical white binders standing in a wooden box, suggesting how easy it is to overlook a slightly differently-named file in a directory listing (photo: Mateusz Dach / Pexels)

You clean a WordPress malware infection. You find every .php file with the suspicious signature, quarantine it, restore from backup, harden the site. Three weeks later the same backdoor is back. Same filename, same content, same behavior. You’re sure you …

UFW vs iptables-nft on Ubuntu 22: why ufw enable silently breaks fail2ban-defined chains

September 29, 2024 by

Server tower in a blue-lit data centre — photo by Cookiecutter on Pexels

I had a server running fail2ban happily for two years. SSH brute-force IPs were getting banned, the f2b-sshd chain was active, all good. Then I ran ufw enable to add a quick firewall rule for an internal service — and …

Wordfence forensics: mining wp_wfhits and wp_wfissues to reconstruct a breach timeline

September 18, 2024 by admin

Top-down view of two detectives examining black-and-white photos and fingerprint cards on a desk — visual metaphor for piecing together a breach timeline from log evidence (photo: RDNE / Pexels)

If you’re cleaning up a WordPress compromise and the site has Wordfence installed, you have more forensic data than you think. Even on the free plan, Wordfence quietly logs every blocked request, every plugin-vulnerability advisory, every flagged file, and every …

SSH ed25519-sk hardware keys vs forwarded agents: when to forward, when to use a YubiKey and refuse forwarding

August 28, 2024 by

USB security key beside a laptop on a clean desk — photo by Cottonbro on Pexels

Most “hopping through bastion” SSH workflows use agent forwarding (ssh -A): the bastion gets temporary access to your local SSH keys via the agent socket, and from there it can SSH onward. It’s convenient, it’s the default in …

Detecting WordPress malware via reverse-DNS lookups on outbound POST requests: 30 lines of bash that catches exfil

August 26, 2024 by

Network switch with active port LEDs and ethernet cables — photo by Pixabay on Pexels

The interesting thing about WordPress malware in 2026 is that most of it doesn’t try to hide on disk anymore. Filesystem scanners catch the obvious things — random PHP at webroot, .hph extension shadows, polyglot images. The newer payloads live …

Detecting and cleaning the DOLLY WordPress mu-plugin backdoor

August 14, 2024 by admin

Hooded figure with neon mask holding tablet displaying 'Uploading Virus' progress bar — visualizing the DOLLY WordPress mu-plugin backdoor exfiltrating credentials

Last week I cleaned a six-site WordPress compromise on one of my OpenLiteSpeed boxes. The most interesting payload was the “DOLLY” mu-plugin family — a credential-harvesting backdoor that hides itself with a few clever tricks and survives most casual cleanups …