malware-detection

The wp_options.siteurl hijack: how a one-row UPDATE redirects every visitor and how to spot it before Google does

by
Metal directional arrow plate on a wooden floor — photo by Max Laurell on Pexels

One of the simplest, oldest, and still most effective WordPress compromises is a single SQL update. The attacker gets one query into your database — through any RCE, SQLi, or stolen-credential path — and runs:

UPDATE wp_options
   SET option_value =

Detecting WordPress malware via reverse-DNS lookups on outbound POST requests: 30 lines of bash that catches exfil

by
Network switch with active port LEDs and ethernet cables — photo by Pixabay on Pexels

The interesting thing about WordPress malware in 2026 is that most of it doesn’t try to hide on disk anymore. Filesystem scanners catch the obvious things — random PHP at webroot, .hph extension shadows, polyglot images. The newer payloads live …