Real incidents, real fixes, no fluff. Every post is grounded in something we actually saw on a hacked WordPress site this year.
We pulled the audit logs from 1,200 sites scanned this quarter and ranked the CVEs that actually got exploited. Three of them have patches available. One of them is a zero-day. Here's what to fix tonight.
Eleven practical changes that lock down WordPress's most sensitive file — including three that most "ultimate guides" still get wrong.
Read article →What to do, what not to do, and the single most common mistake that destroys forensic evidence on a compromised WordPress install.
Read article →XML-RPC lets attackers test thousands of password combinations per request. Here's how the attack works, why fail2ban often misses it, and three layered fixes.
Read article →"Critical" doesn't always mean "fix today." A short guide to interpreting CVSS scores in the context of a real WordPress site, with examples.
Read article →Hiding /wp-admin behind a custom URL feels clever — until you realize what it actually achieves (and what it doesn't). A pragmatic take.
Read article →We ran the same audit pipeline through GPT-4o, Claude Sonnet 4.6, and Gemini 2.5 across 800 sites. Here's where each model wins, fails, and surprises.
Read article →