Category: Tutorials

Security, Tutorials, WordPress

The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk

| by admin | Leave a Comment on The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk
A row of blue and orange CASSA-brand office binders neatly stacked on a shelf — visual metaphor for plugin directories that look identical on the outside but may contain very different things inside (photo: zulfugarkarimov / Pexels)

One of the most common WordPress malware patterns I’ve cleaned in the last two years isn’t a webshell or a credential stealer — it’s a “fake plugin” or “fake theme.” The attacker creates a directory in wp-content/plugins/ or wp-content/themes/ with …

Continue reading "The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk"
Security, Tutorials

The hard problem of sanitizing user-uploaded SVGs (and why most libraries get it wrong)

| by admin | Leave a Comment on The hard problem of sanitizing user-uploaded SVGs (and why most libraries get it wrong)
Close-up of HTML and CSS code on a computer screen — markup-parsing context for an SVG security article (photo: Pixabay / Pexels)

The Scratch team’s blog post on SVG sanitization (linked from Hacker News this week) is one of those technical write-ups that really should be required reading for anyone who lets users upload images to a web app. The author’s account …

Continue reading "The hard problem of sanitizing user-uploaded SVGs (and why most libraries get it wrong)"
Security, Sysadmin, Tutorials

SSH ProxyJump: reach private servers through a bastion without copying keys to it

| by admin | Leave a Comment on SSH ProxyJump: reach private servers through a bastion without copying keys to it
Close-up of fiber optic patch panel with yellow and white connectors plugging into blue ports — visual metaphor for ProxyJump tunneling traffic through one server to reach another (photo: Brett Sayles / Pexels)

You have a private server in a VPC that’s only reachable through a bastion host. The “obvious” way to SSH there is the wrong way: copy your private key onto the bastion, then SSH from bastion to the private box. …

Continue reading "SSH ProxyJump: reach private servers through a bastion without copying keys to it"
macOS, Sysadmin, Tutorials

Time Machine to a Linux Samba share: the smb.conf that actually works (vfs_fruit, EA, posix locking)

| by admin | Leave a Comment on Time Machine to a Linux Samba share: the smb.conf that actually works (vfs_fruit, EA, posix locking)

Apple wants you to buy a Time Capsule, an iCloud subscription, or at minimum a Thunderbolt-attached SSD. None of that helps if you already have a Linux box sitting on your network with a few terabytes of free space. Time …

Continue reading "Time Machine to a Linux Samba share: the smb.conf that actually works (vfs_fruit, EA, posix locking)"
Security, Tutorials, WordPress

The one SQL query that catches almost every backdoor admin in WordPress

| by admin | Leave a Comment on The one SQL query that catches almost every backdoor admin in WordPress
Close-up of WordPress JavaScript source code displaying themes:update functions and wp.updates handlers — typical view when auditing WordPress code (photo: Markus Spiske / Pexels)

If a WordPress site of yours has been compromised — even briefly, even silently — there’s a very good chance it now has at least one administrator account that you didn’t create. Most WP malware families plant one as part …

Continue reading "The one SQL query that catches almost every backdoor admin in WordPress"
Security, Tutorials, WordPress

Block WordPress REST API user enumeration without breaking the admin

| by admin | Leave a Comment on Block WordPress REST API user enumeration without breaking the admin
Close-up of JavaScript code showing ajaxTransport, encodeURIComponent, and readyState functions — typical view of REST API client code (photo: Markus Spiske / Pexels)

By default every WordPress install since 4.7 leaks usernames over a public, unauthenticated REST endpoint. Anyone — no login, no auth header, just a browser — can hit https://yoursite.com/wp-json/wp/v2/users and get a JSON array of every user the site considers …

Continue reading "Block WordPress REST API user enumeration without breaking the admin"
Sysadmin, Tutorials

~/.ssh/config power user features: ProxyJump, ControlMaster, IdentitiesOnly, and a starter file

| by admin | Leave a Comment on ~/.ssh/config power user features: ProxyJump, ControlMaster, IdentitiesOnly, and a starter file
Close-up of a code editor displaying syntax-highlighted Python — visual stand-in for editing a config file (photo: Godiatima / Pexels)

Most people use ~/.ssh/config as a glorified shortcut file: Host server with a HostName and a User, save five seconds of typing. That’s the entry point, and it’s fine. But the file is a much more powerful configuration system …

Continue reading "~/.ssh/config power user features: ProxyJump, ControlMaster, IdentitiesOnly, and a starter file"
Sysadmin, Tutorials, WordPress

Recovering a malformed wp_options.active_plugins: the SQL REPLACE() trap and how to rebuild

| by admin | Leave a Comment on Recovering a malformed wp_options.active_plugins: the SQL REPLACE() trap and how to rebuild
A nearly-complete white jigsaw puzzle with one piece sitting outside its slot, exposing the blue surface beneath — visual metaphor for one wrong byte breaking the whole serialized array (photo: Mike Van Schoonderwalt / Pexels)

You have a WordPress site that’s returning HTTP 200, the homepage renders, but something’s quietly off. WooCommerce features aren’t loading. LiteSpeed Cache settings page is empty. The Mailpoet sender isn’t sending. None of these would normally fail at the same …

Continue reading "Recovering a malformed wp_options.active_plugins: the SQL REPLACE() trap and how to rebuild"
Security, Tutorials, WordPress

Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet

| by admin | Leave a Comment on Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet
Computer monitor displaying terminal output: system metrics, file listings, and kernel error messages — typical sysadmin view (photo: Tima Miroshnichenko)

wp-content/uploads/ is the most predictable target on a WordPress install. It’s writable by the web server (so any compromise that gets a file uploaded lands here), it’s almost never inspected by malware scanners with the same vigilance as wp-includes/, …

Continue reading "Block PHP execution in wp-content/uploads on OpenLiteSpeed: the right .htaccess snippet"