Anchor Hosting Security

CaptainCore captures each site's homepage HTML and compares it to the previous capture. New injected scripts or stylesheets trigger an immediate email alert with the affected page, severity level, and signature details.

• Detects inline script injection, external script sources, and rogue stylesheets
• Pattern-matched against a signature database of known malicious and safe domains
• Severity levels: critical high medium

Each time a quicksave detects file changes in plugins, themes, or mu-plugins, the changed files are automatically scanned with Wordfence CLI and CaptainCore's own malware signature database.

• Scans .php, .js, .html, .svg, .phtml, .phar files
• 7+ built-in threat signatures (HSEO Blockchain C2, plugin self-hiding, unauthenticated admin login, remote eval, SEO spam, and more)
• Findings trigger an API alert with site details and matched signatures

Every site's WordPress core files are verified against official checksums daily. Modified or unexpected files generate an alert listing each discrepancy.

• Detects modified core files (potential backdoor injection)
• Detects extra files that shouldn't exist in core directories
• Email alert includes file paths and modification type

Every production site's home URL is checked against Google's Web Risk API for four threat categories.

• Malware — distributing malicious software
• Social Engineering — phishing or deceptive content
• Unwanted Software — distribution of unwanted programs
• Social Engineering Extended — broader phishing detection

HTTP health checks run every 5 minutes against every site's homepage with retry logic (3 attempts across system and Cloudflare DNS) and escalating notifications.

• Validates HTTP status code and HTML integrity (checks for closing </html> tag)
• Escalating alerts: immediate, then 1h, 4h, and 24h follow-ups
• Tracks restored sites and sends recovery notifications
• 10 parallel checks with 15s/60s timeouts

Every Anchor Hosting site comes preinstalled with the CaptainCore Helper must-use plugin, which applies baseline hardening protections automatically.

• User enumeration protection — blocks ?author=N queries, REST API /wp/v2/users endpoint, author sitemaps, and oEmbed author URLs for unauthenticated visitors
• Generic login errors — replaces WordPress messages that reveal whether a username exists with a single generic error
• WordPress version hidden — removes the generator meta tag from HTML and RSS feeds
• Author archive protection — returns a 404 for author archives with no published posts, preventing username confirmation
• IP-based password reset restrictions — limits password reset requests using geolocation data

The CaptainCore Helper records a tamper-evident audit trail of security-critical events on every site, queryable via WP-CLI.

• User lifecycle — registrations, deletions, role changes, password resets, super admin grants/revocations
• Plugin & theme lifecycle — installs, updates, activations, deactivations, deletions (both admin UI and WP-CLI)
• Security-critical options — tracks changes to users_can_register, default_role, admin_email, and header/footer code injection settings
• File editor access — logs theme/plugin file edits made through the WordPress admin editor
• Application passwords — creation and deletion of app passwords
• WPCode snippets — logs when code snippets are saved or modified

Full-site backups are generated every night across all sites, running 40 in parallel. Sites backed up within the last 4 hours are skipped to avoid redundant work.

• All previous backups are retained indefinitely — efficient incremental storage keeps long-term costs low
• Ensures a clean restore point is always available within 24 hours
• Critical for rapid recovery during malware incidents

Quicksaves capture a versioned snapshot of all plugins, themes, and mu-plugins every night, running 16 in parallel. When file changes are detected, the changed files are automatically scanned for malware — making this both a versioning system and a nightly security scan.

• Git-based versioning tracks exactly what changed and when
• Changed .php, .js, .html, .svg files are scanned with Wordfence CLI and CaptainCore's malware signatures
• Malware findings trigger an immediate alert with site details and matched signatures
• Sites with a quicksave within the last 4 hours are skipped

Plugin and theme updates are applied automatically on a staggered schedule for sites with updates enabled.

• Staging environments — updated Fridays at 6:15 AM (16 in parallel)
• Production environments — updated Wednesdays at 6:15 AM (16 in parallel)
• Staging updates first give a window to catch issues before production
• Keeps plugins patched against known vulnerabilities without manual intervention

We track PHP's official supported versions end-of-life schedule and proactively upgrade all customers to a currently supported PHP version. Each upgrade includes fixing compatibility issues across themes and plugins.

• All sites are automatically kept on an actively supported PHP version unless a customer requests a downgrade
• Theme and plugin PHP compatibility issues are identified and resolved before or during the upgrade
• Deprecation warnings, fatal errors, and breaking changes are addressed across the fleet

Audits WordPress plugins and themes against the Security Finder vulnerability database. Scans roll through the fleet at approximately 20 sites per day, ensuring full coverage on a regular cycle.

• Checks installed component versions against known CVEs and CVSS scores
• Covers both Production and Staging environments
• Findings are filtered to critical and high severity for immediate attention

Identifies sites with the largest PHP error logs, analyzes the errors, applies fixes, and logs the results. Run in 3-4 batches across the week to keep error noise low and catch issues before they escalate.

• Fetches top sites by error log size from Anchor Hosting
• Analyzes error patterns and applies targeted fixes
• Each fix is logged to CaptainCore's process log for audit trail

Security Finder maintains a database of WordPress component vulnerabilities with audit records, severity scores, and remediation guidance. The CaptainCore Manager pulls from this database to map threats to specific sites.

• Inventory — fleet-wide plugin/theme inventory with version tracking
• Affected sites — which sites run a vulnerable component, with SSH connection info for direct remediation
• Threat tracking — status workflow (tracking → investigating → resolved) with timestamped notes
• Process logs — resolution actions are logged on each affected site

CaptainCore Manager sends targeted email alerts for different threat scenarios:

Patched plugin/theme ZIPs are built, stored permanently in B2 cloud storage, and deployed to all affected sites in parallel.

• Patches stored at Anchor-B2:CaptainCore/plugins/ with public CDN URL
• Deployed to up to 20 sites concurrently via SSH
• Each deployment verified and logged
• Affected sites identified automatically from Security Finder data

Full-stack malware remediation for compromised sites. Kills persistence mechanisms, removes malicious files, reinstalls WordPress core, resets credentials, and runs verification loops until the site is confirmed clean.

Comprehensive standalone scanner built from real-world incident response. Detects backdoors, web shells, obfuscation techniques, C2 communication, SEO spam, and more — over 50 distinct detection patterns.

Runs on individual sites or fleet-wide with --quiet mode for bulk scanning. Automatically excludes plugins that pass WordPress.org checksum verification to minimize false positives.

Identifies files with forged timestamps — a common attacker anti-forensic technique where file modification times are set earlier than file creation times.

• Five-pass filtering eliminates migration artifacts, host-managed directories, and known-benign files
• Content-based backdoor detection on remaining suspicious files
• Risk levels: backdoor (content match), high (PHP in uploads), forged (timestamp only)

Audits WordPress roles and user capabilities for unauthorized privilege escalation.

• Scans all non-administrator roles for dangerous capabilities (manage_options, edit_plugins, install_plugins, etc.)
• Detects individual users with capabilities injected directly into usermeta
• Checks default registration role and open registration settings

Scans the WordPress database for executable code stored in options, WPCode snippets, and widgets.

• Detects credit card skimmers, obfuscated eval patterns, data exfiltration, fake payment forms
• Checks for PHP backdoor functions and superglobal access in stored code
• Whitelists legitimate CDN domains to reduce false positives

Detects trojanized plugins pushed via compromised admin accounts. Verifies file hashes against known malicious payloads and scans for similarly-named suspicious directories.

• check-security-log-size — monitors security log table growth, filterable by size threshold
• php-in-uploads — targeted scan for PHP files and obfuscation in the uploads directory
• capture scan --malware — fleet-wide scan of homepage captures for injected scripts
• check-fathom-changes — monitors third-party analytics script integrity (SHA256 hash comparison every 6 hours)