Blog

  • Anatomy of a WordPress.org supply-chain attack: the six ways in

    Six ways an attacker turns a trusted WordPress.org plugin into a foothold on your site, each drawn from a real campaign I have traced, with the code that made it work. Plus the one method you cannot scan for, and what actually catches all of them.

  • The hall of shame for WordPress admin notices

    I have wanted a public database of WordPress admin notices for years. Every WordPress professional knows the feeling. You log into /wp-admin/ to do one small thing, and the top…

  • From a 7 KB file to a 13-year backdoor operation

    Most plugin closures are uneventful. A developer stops responding, wp.org pulls the plugin, the listing goes dark, and that is the end of it. My WP Beacon scanner flags these…

  • Gravity SMTP Exploit Campaign

    The last few weeks have been whack-a-mole with my Mailgun account. My Mailgun account kept getting locked. I would clear a compliance issue, watch everything come back online, and a…