WordPress — Security
Brute force, integrity changes, privilege escalation — attack patterns and audit signals.
WordPress "Sorry, you are not allowed to do that" — diagnosing capability check failures
Your editor is on Slack, frustrated. They opened /wp-admin/post.php?post=4912&action=edit, hit Update, and got a grey page with one line: "Sorry, you are not al…
Read guide →
WordPress admin user added without your knowledge — how to detect privilege escalation
You log into /wp-admin/users.php and there it is: a WordPress admin user added without your knowledge. The username is something forgettable — wpadmin2, support…
Read guide →
WordPress Brute Force Attack Detection from Logs
Security plugins block attacks. But do you know how many are happening, when they spike, and which endpoints are targeted? Your logs do.…
Read guide →
WordPress file integrity monitoring without a paid plugin
A core file under /wp-includes/, a plugin file under /wp-content/plugins/, or a theme functions.php is now different from the version that shipped. Nobody in yo…
Read guide →
WordPress hundreds of new users overnight — detecting bulk spam registration before they pollute your database
You opened wp-admin/users.php this morning and the user count went from 247 to 2,113 overnight.…
Read guide →
WordPress login attempt surge — distinguishing credential stuffing from scanner traffic
Your WordPress site is hammered with login attempts. The auth log is rolling. wpauthfailurestotal jumped from a flat baseline to thousands per minute somewhere …
Read guide →
WordPress logout you didn't perform — detecting session hijacking
You were editing a post, hit Update, and WordPress bounced you to /wp-login.php with the message "Your session has expired. Please log in again." You log back i…
Read guide →
WordPress REST API hammered with login attempts — how to detect credential stuffing
Your WordPress site is slow. The dashboard takes seven seconds to load. PHP-FPM workers are pinned. The Fail2Ban rule you set up two years ago for wp-login.php …
Read guide →
WordPress wp-config.php was modified — how to detect unauthorized changes
You opened your WordPress site this morning and something is off. Maybe redirects to a sketchy domain. Maybe a strange admin user you do not recognise. Maybe no…
Read guide →
WordPress xmlrpc.php under attack — detecting amplification and credential stuffing
Your access log is suddenly full of POST /xmlrpc.php. Thousands of them. Same endpoint, hundreds of IPs, no obvious pattern in the user-agent. The site is slow …
Read guide →
