incident-response

The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk

by
A row of blue and orange CASSA-brand office binders neatly stacked on a shelf — visual metaphor for plugin directories that look identical on the outside but may contain very different things inside (photo: zulfugarkarimov / Pexels)

One of the most common WordPress malware patterns I’ve cleaned in the last two years isn’t a webshell or a credential stealer — it’s a “fake plugin” or “fake theme.” The attacker creates a directory in wp-content/plugins/ or wp-content/themes/ with …

Recovering a malformed wp_options.active_plugins: the SQL REPLACE() trap and how to rebuild

by
A nearly-complete white jigsaw puzzle with one piece sitting outside its slot, exposing the blue surface beneath — visual metaphor for one wrong byte breaking the whole serialized array (photo: Mike Van Schoonderwalt / Pexels)

You have a WordPress site that’s returning HTTP 200, the homepage renders, but something’s quietly off. WooCommerce features aren’t loading. LiteSpeed Cache settings page is empty. The Mailpoet sender isn’t sending. None of these would normally fail at the same …

The wp_options.siteurl hijack: how a one-row UPDATE redirects every visitor and how to spot it before Google does

by
Metal directional arrow plate on a wooden floor — photo by Max Laurell on Pexels

One of the simplest, oldest, and still most effective WordPress compromises is a single SQL update. The attacker gets one query into your database — through any RCE, SQLi, or stolen-credential path — and runs:

UPDATE wp_options
   SET option_value =

The .hph extension trick: how WordPress malware survives cleanups by shadowing .php files

by
Four nearly identical white binders standing in a wooden box, suggesting how easy it is to overlook a slightly differently-named file in a directory listing (photo: Mateusz Dach / Pexels)

You clean a WordPress malware infection. You find every .php file with the suspicious signature, quarantine it, restore from backup, harden the site. Three weeks later the same backdoor is back. Same filename, same content, same behavior. You’re sure you …

Wordfence forensics: mining wp_wfhits and wp_wfissues to reconstruct a breach timeline

by
Top-down view of two detectives examining black-and-white photos and fingerprint cards on a desk — visual metaphor for piecing together a breach timeline from log evidence (photo: RDNE / Pexels)

If you’re cleaning up a WordPress compromise and the site has Wordfence installed, you have more forensic data than you think. Even on the free plan, Wordfence quietly logs every blocked request, every plugin-vulnerability advisory, every flagged file, and every …

Rotating WordPress salts as incident response: the step everyone skips

by
Close-up of a metal combination lock with rotating numeric dials — visual metaphor for rotating WordPress salts to a new secret combination (photo: Felix Moeller / Pexels)

You’ve cleaned the malware files, deleted the backdoor admin accounts, rotated everyone’s password. The site is fine, you’re fine. Three weeks later someone logs in with a session cookie they grabbed during the compromise window and creates a fresh admin …