Blog
RSSWriting on penetration testing, bug bounty triage, WordPress incident response, and the vulnerabilities behind real cleanups.
· 3 min read
The first hour after a WordPress hack
A calm, ordered checklist for the first hour after you discover a compromised WordPress site — what to do, what to preserve, and what not to touch.
-
· 3 min read
The five ways WordPress sites actually get compromised
WordPress core is rarely the problem. Here are the five entry vectors behind almost every compromise I clean, and the realistic fix for each.
-
· 2 min read
Japanese SEO spam, explained
What Japanese SEO spam actually is, why it only shows up in Google and not on your own screen, how it persists, and what removing it properly involves.
-
· 2 min read
Burst Statistics auth bypass (CVE-2026-8181): in the wild
A 9.8 CVSS authentication bypass in the Burst Statistics plugin is being exploited. 200K+ sites affected. Here's a quick triage.
-
· 3 min read
How to know your WordPress site is hacked (a triage checklist)
A practical checklist for WordPress site owners and agencies. Six signals of compromise, plus the first commands to run before touching the install.
-
· 2 min read
Someone bought 30 WordPress plugins and backdoored all of them
Plugin acquisition as an attack vector. If a plugin you trust changes hands and ships a 'security update' you didn't ask for, that's the playbook.
-
· 2 min read
One million WordPress sites: file read + SQL injection
Wordfence disclosed a vulnerability chain affecting more than a million WordPress installs. What it means for site owners — and how to tell if you're exposed.
-
· 2 min read
WordPress 5.7 XXE: how it works and why you patch it
Sonar's writeup of the WordPress 5.7 XML External Entity bug — what it leaks, where to find it, what fixed it.
-
· 2 min read
WordPress: a delete-a-file bug escalated to RCE
Sonar wrote up a chained WordPress vulnerability where arbitrary file deletion was escalated to code execution. A classic reminder: just deleting a file is rarely just.
-
· 4 min read
A WordPress hardening checklist that actually closes doors
The hardening steps I apply on every threatover engagement. None of them are clever; together they remove most of the easy ways into a WordPress install.
Weekly WordPress threat briefing
New CVEs, what's being exploited, and notes from recent cleanups. Self-hosted; your address is not passed to any third party.
Double opt-in. One-click unsubscribe in every email. No tracking pixels.
Email [email protected] or use the contact form.