Tag: security

Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)
We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

What Has Been Done to Find Out the Source of the Hack

The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).
- saving nginx «access.log» on the date of the detected hack
- saving nginx «error.log» on the date of the detected hack
- saving nginx «syslog» on the date of the detected hack
Input data:
- logs «access.log» (200 MB) «error.log» (47 MB)
- website files
The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

Furthermore,
- the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called;
- a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files;
- the file «index.php» was modified, added obfuscated malicious code;
- the file «plugins.php» was modified, added obfuscated malicious code;
- the file «pluggable.php» was modified, added obfuscated malicious code;
- there were some eval constructions in the files, and parsing them was impossible.
- It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.
How to prevent future hacks:
1. constant monitoring of the website files for any new unknown files in the system,
2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
```
define( 'FS_METHOD', 'ftpext' );

define( 'FTP_BASE', '/yoursitepath' );
```
Hacked WordPress website? We’ll clean it for you.

Our experts remove malware, backdoors, and malicious code, restore your website security, and help prevent reinfection — fast, safe, and handled by professionals.

Request Malware Cleanup
February 21, 2026
Security Update: Please Update CleanTalk Anti-Spam to the Latest Version

We’re reaching out to let you know about a security vulnerability that was recently disclosed in the CleanTalk Anti-Spam plugin for WordPress. We’ve already released a fix, and we want to make sure you’re protected.

What happened?

On February 14, 2026, a vulnerability (CVE-2026-1490) was publicly disclosed affecting CleanTalk Anti-Spam plugin versions 6.71 and earlier. The issue was found in the checkWithoutToken function, which relied on reverse DNS (PTR record) resolution to verify incoming requests. An attacker could spoof a PTR record to impersonate CleanTalk servers, potentially allowing them to install unauthorized plugins on a vulnerable site. In a worst-case scenario, this could lead to remote code execution through a chain of exploits.

Here’s the important part: this vulnerability only affects sites running with an invalid or expired or missing API key. If your CleanTalk subscription is active and your API key is valid, the exploitable code path is never triggered. That said, we strongly recommend updating regardless – it’s simply good practice.

What you need to do:

Update the plugin to version 6.72 or later – the fix is already available in the WordPress plugin repository
Verify your API key is active and valid in your CleanTalk dashboard at https://cleantalk.org/my or in your WP Dashboard->Settings->Anti-Spam by CleanTalk.
If you have auto-updates enabled, you may already be on the latest version — but please double-check

Keeping plugins up to date is the most effective way to maintain website security.

What we’ve done on our end:
We patched the checkWithoutToken function to no longer rely solely on PTR records for authorization. The updated verification process uses stronger validation methods that cannot be spoofed. The fix was released in version 6.72, which is available now.

References:
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-1490
Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/cb603be6-4a12-49e1-b8cc-b2062eb97f16
Plugin changelog: https://wordpress.org/plugins/cleantalk-spam-protect/#developers

A note from our team:
We take security seriously – both yours and our own. No software is immune to vulnerabilities, but what matters is how quickly they’re addressed and how transparently they’re communicated. We identified the issue, developed a fix, and released the update promptly.

We’re also conducting an internal review of similar patterns across our codebase to prevent this class of vulnerability from recurring.
If you have any questions or need assistance updating, our support team is here to help at support@cleantalk.org.

Best regards,
The CleanTalk Team

February 20, 2026
How to Check wp-content for Malware with Security by CleanTalk?
WordPress powers a significant portion of the internet, making it an attractive target for cyberattacks. Ensuring the security of your WordPress website is paramount. One essential aspect of WordPress security is regularly checking your wp-content directory for vulnerabilities. In this article, we’ll guide you through the process of safeguarding your wp-content folder using the powerful Security by CleanTalk plugin.

Why Checking wp-content for Malware is Crucial?

Your website’s wp-content directory is a critical part of your WordPress installation. It contains themes, plugins, and uploaded media files, making it an attractive target for hackers. Malicious actors often seek vulnerabilities in this directory to compromise your website’s security.

Checking wp-content is vital because it allows you to:
1. Detect Unauthorized Access: Regular checks help you identify any unauthorized changes or suspicious files within your wp-content folder.
2. Prevent Malware Infections: Detecting malware early can prevent it from spreading throughout your site, damaging your reputation and potentially harming your visitors.
3. Maintain Website Performance: A compromised wp-content directory can slow down your site and disrupt its functionality. Regular checks help maintain optimal performance.
4. Protect Sensitive Data: Your wp-content directory may contain sensitive information. Ensuring its security safeguards your data and user information.
Introducing Security by CleanTalk

To streamline the process of checking your wp-content directory and enhancing your WordPress security, we recommend installing the “Security by CleanTalk” plugin. This comprehensive security plugin offers a wide range of features to protect your website, including:
1. Real-time Firewall: Defends your site against malicious traffic and hacking attempts in real-time.
2. Spam Protection: Blocks spam comments and registrations to keep your site’s content clean.
3. Malware Scanner: Regularly scans your website for malware, vulnerabilities, and unsafe permissions.
4. Login Page Security: Protects your login page from brute force attacks.
5. Two-Factor Authentication (2FA): Adds an extra layer of login security for administrators.
6. IP and Country Blocking: Allows you to block specific IP addresses or entire countries to prevent malicious access.
7. Security Audit Trails: Keeps a record of all security-related events on your site for monitoring and analysis.
How to Install Security by CleanTalk

Follow these simple steps to install and activate Security by CleanTalk on your WordPress website:
1. Login to Your WordPress Admin Dashboard: Navigate to your WordPress dashboard by entering your site’s URL followed by “/wp-admin” (e.g., “https://yourwebsite.com/wp-admin“).
2. Go to Plugins: In the left sidebar, click on “Plugins.”
3. Add New Plugin: Click the “Add New” button at the top of the Plugins page.
4. Search for “Security by CleanTalk”: In the search bar, type “Security by CleanTalk” and press Enter.
5. Install and Activate: When you see the plugin in the search results, click “Install Now,” and then click “Activate” once it’s installed.
6. Configure Settings: Visit the “Security by CleanTalk” settings page in your WordPress dashboard to configure the plugin’s settings to your liking. Be sure to set up the malware scanner to check your wp-content directory regularly.
7. Enjoy Enhanced Security: With Security by CleanTalk in place, your WordPress website is now fortified against threats, and your wp-content directory will be regularly monitored for vulnerabilities.
Security by CleanTalk at WordPress.

The Malware scanner checked and found an issue with wp-content.

The Malware scanner cured files at wp-content.

Conclusion

Regularly checking your wp-content directory is an essential part of maintaining a secure WordPress website. To simplify this process and ensure comprehensive protection for your site, we recommend installing the “Security by CleanTalk” plugin. With its wide range of security features, this plugin will help you safeguard your website, keeping it safe from threats and ensuring the integrity of your wp-content directory.

Anyway, if you are unsure how to identify, remove, or clean malware using the plugin, you can book a WordPress malware removal with our Security & Pentest team.

Don’t leave the security of your WordPress site to chance—take proactive steps today by installing Security by CleanTalk and regularly checking your wp-content folder for peace of mind and a secure online presence.
February 18, 2026

Why Even the Best Free Malware Removal Tools Can’t Cure Your Website Completely

If your website was developed using one of the popular CMS like WordPress or others, there are various security plugins for them, which provide permanent protection from malware. But what to do if your site is unprotected and you suspect that it has been infected? Let’s find out together.

6 signs that your website may be infected

First of all, let’s break down when it’s really time for you to think about cleaning your site of malware.

Unusual activity in Server logs
Server logs contain access logs that display the users who have recently accessed your website.
Your website is slow
Hackers deploy DoS attacks to overload your server resources, thus impacting your website speed and performance.
Emails ending in the Spam folder
This happens when your web server is infected with malware. As a result, email servers categorize your emails as “spam”.
Pop-up and Spam Ads
Usually happens when you have installed an insecure plugin or theme. Hackers earn money when visitor clicks on them.
Modified website files
To insert backdoors and other malicious code in your site, hackers often modify your website core files.
Website being redirected
Hackers often deploy cross-site scripting (or XSS) attacks to send your website traffic to unsolicited websites.

What is a manual malware removal

During a manual malware removal, a dedicated cybersecurity specialist is assigned to your site to work on your site from start to complete site cleanup.

Step 1: Clean up the bad stuff
Using SSH and admin access, the specialist reaches your website hosting and gets rid of all viruses, malware, malicious code, and bad links on your website.

Step 2: Restore the site from backup
In case you have a backup he restores the site from backup. Otherwise, he works with the site’s current version.

Step 3: Protect it from future infections
The specialist installs a permanent Security protection plugin to avoid infecting in the future.

Reasons to use manual malware removal instead of automatic

Sometimes automatic solutions can be enough to find the most known viruses and malware and often are low cost or free.

Automatic free malware removal tools can be effective at identifying and removing known malware from a website, but there are several reasons why they may not completely cure a website of all security threats.

Over-insurance and possible data loss
The problem is that they often over-insure and accept your files as bad ones, causing large file and data losses during automatic site cures. A specialist can always distinguish your files from malicious ones even if it’s a custom code.
Evolving Malware
Malware is constantly evolving, with new variants and techniques being developed by cybercriminals. Automatic tools may not always be able to keep up with the latest malware threats.
Hidden Malware
Some malware is designed to be stealthy and can hide in obscure locations within a website’s code or files. Automatic tools may not always detect these hidden threats.
False Positives
Automatic tools may sometimes flag legitimate code or files as malware, leading to false positives. This can result in the removal of essential components of the website, causing functionality issues.
Complex Infections
In some cases, websites may be infected with complex malware that requires manual intervention to fully eradicate. Automatic tools may not have the capability to address these intricate infections effectively.
Vulnerability Patching
While malware removal tools can remove existing infections, they may not address the underlying vulnerabilities that allowed the malware to compromise the website in the first place. It’s essential to also address security vulnerabilities and implement robust security measures to prevent future infections.
Human Expertise
Manual inspection and intervention by cybersecurity experts are often necessary to thoroughly assess the extent of an infection, identify potential backdoors, and ensure that the website is fully secure.

In conclusion, while automatic malware removal tools are valuable for initial detection and removal of known threats, they may not be sufficient to completely cure a website of all security issues. Manual inspection, ongoing security measures, and expert intervention are often necessary to ensure comprehensive protection against malware and other security threats.

Why it is profitable for you to use CleanTalk malware removal

100% refund in case of unsuccessful We will manually clean your site from viruses and malware or refund your money.	10+ years fighting malware of fighting malware and spam all over the Internet. We are aware of all the dangers that can threaten your website and how to deal with them.
30-day support Free 30-day help with reinfection. As a guarantee of our work we continue to be with you and will get back to work if needed.	50+ CVE reports published And we continue to share found vulnerabilities in our blog.
10 000+ active users A lot of loyal users that trust our experience and use our Security protection.	1 year of free Security Plugin Order your Malware Removal now and get 1 year of free Security plugin.

Clean your site from malware today

And get CleanTalk Security Plugin for 1 year for FREE

ORDER MALWARE REMOVAL

February 18, 2026

About the email “[CleanTalk] Access key used on multiple websites”

Recently, some of our users received an email with the subject:

“[CleanTalk] Access key used on multiple websites”

The message informed you that your CleanTalk Access key was detected on more than one website within a 24-hour period and recommended changing the key if the activity looked suspicious.

The notification looked like this:

Subject: [CleanTalk] Access key used on multiple websites

We noticed that your CleanTalk Access key has been used on more than one website within the last 24 hours.

Product: Anti-spam for sites
Access key: your_access_key

List of IPs:
https://cleantalk.org/ipinfo/IP_addr

If you do not recognize these websites, your Access key may have been compromised.
Please change your Access key as soon as possible.

This email was part of a new security feature designed to help prevent possible Access key leaks and unauthorized usage. We recently launched a new security feature that monitors whether a CleanTalk Access key is being used on multiple websites within a short period of time.

The idea behind this was simple — help prevent possible key leaks or unauthorized usage and notify users if something looks suspicious.

However, after launch we discovered an issue in the detection logic. Because of this, many users received this notification by mistake.

That was our error — and we sincerely apologize for the confusion and concern it may have caused.

We have already corrected the algorithm and added additional checks to prevent false alerts in the future.

Thank you for your understanding and for trusting CleanTalk to protect your websites.

If you have any questions, our support team is always here to help.

— The CleanTalk Team

February 11, 2026
A critical vulnerability in WP Statistics threatens over 600,000 websites: CleanTalk Research team discovers complete admin panel takeover method

The CleanTalk Research team has identified a critical vulnerability in the popular WP Statistics plugin (versions up to and including 14.15.3), which is installed on over 600,000 WordPress websites. The vulnerability allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS), leading to administrative session hijacking, admin panel compromise, and potential code execution on the underlying server OS.

This Unauthenticated Stored XSS vulnerability operates through the HTTP User-Agent header. Attackers can execute arbitrary JavaScript in the WordPress admin panel, enabling them to steal session tokens and nonces, escalate privileges, create administrator accounts, and potentially expand access to the operating system if additional attack vectors are available. Most critically, no authentication is required—a single HTTP request is sufficient, making mass automated exploitation trivial.

The WP Statistics development team has released a security update addressing this vulnerability. Website administrators are strongly urged to update WP Statistics to the latest version immediately.

The CleanTalk Research team specializes in identifying and responsibly disclosing vulnerabilities in popular WordPress plugins and themes. We continue to actively audit plugins and publish technical reports on newly discovered vulnerabilities.

Stay informed:
📝 Research Blog: https://research.cleantalk.org/
📱 Telegram Channel: https://t.me/cleantalk_researches/326

REFERENCES
https://research.cleantalk.org/cve-2025-9816/
https://www.cve.org/CVERecord?id=CVE-2025-9816
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-statistics/
https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CleanTalk Security Plugin automatically scans your plugins for known vulnerabilities. The plugin monitors the versions of all your installed plugins and themes and immediately alerts you if a vulnerability is detected in one. As soon as a problem is detected (like with WP Statistics), you receive a notification.

October 17, 2025
Prevent for User Enumeration on WordPress
I’m happy to announce option Prevent collecting of authors logins which you can find under settings,
```
WordPress console -> Settings -> Security by CleanTalk -> General Settings
```
This option disables users IDs enumeration in your WordPress. So, it stands against brute force for authors names. Here is example how the enumeration works in the plain WordPress,
```
https://blog.cleantalk.org/?author=1
```
By executing such links, an attacker brute forces users list on a site to get valid IDs and use it in further attacks.

If you turn option Prevent collecting of authors logins on, the plugin disable enumeration by showing a blank page instead of valid page of author. URL for the blank page like this,
```
https://blog.cleantalk.org/author/honeypot_login_1753432662.9124
```
That’s it! Drop questions in the comment form down below.
July 25, 2025
CleanTalk Research Team Discovers Stored XSS Vulnerability in WP SEOPress Plugin (v7.7.1)
The CleanTalk Research Team identified a critical Stored XSS (Cross-Site Scripting) vulnerability in the WP SEOPress plugin, version 7.7.1. This flaw can be exploited by attackers with contributor privileges to create new admin accounts, potentially granting them full control of your WordPress website.

Understanding Stored XSS (CVE-2024-4899)

Stored XSS vulnerabilities allow attackers to inject malicious scripts directly into your website’s database. These scripts are then executed whenever someone views the compromised content. Unlike reflected XSS, user interaction isn’t required to trigger the attack, making it particularly dangerous.

How Attackers Can Exploit This Vulnerability

An attacker with contributor privileges can exploit this vulnerability by injecting malicious JavaScript code into the “SEO Title” field while creating a new post. This code can then be used to create a new admin account, granting them complete control over your website.

Potential Consequences of an Exploit
- Complete Site Takeover: Attackers could create new admin accounts and seize full control of your website.
- Data Theft: Sensitive information like user credentials, financial records, and even your website’s content could be stolen.
- Website Defacement: Attackers could alter the appearance of your site, inject further malicious code, or display unauthorized content.
- Persistent Backdoors: Malicious actors might install backdoors to ensure continued access even after the initial vulnerability is patched.
Taking Action to Secure Your Website
1. Update Immediately: The most critical step is to update the WP SEOPress plugin to the latest version as soon as possible. This update addresses the vulnerability and safeguards your website.
2. Review User Roles: Carefully review user roles and permissions. Contributors should have the minimum access necessary for their tasks.
Through continuous vulnerability discovery and disclosure, we empower website owners and developers to take preventative measures. We believe that by working together, we can create a robust and secure WordPress ecosystem for everyone.

Stay vigilant. Stay secure.
July 4, 2024
Critical Vulnerability Discovered in Gutenberg Blocks by Kadence Blocks Plugin
Our team at CleanTalk prioritizes the safety and security of the WordPress ecosystem. Through routine security testing, we’ve identified a critical vulnerability in the Gutenberg Blocks by Kadence Blocks plugin. This flaw poses a serious threat to WordPress websites, as it allows attackers to inject malicious code and potentially gain complete control.

Understanding the Threat (CVE-2024-4057)

This vulnerability, classified as Stored XSS (Cross-Site Scripting), enables attackers to embed malicious scripts directly into your website’s content. Unlike some vulnerabilities, Stored XSS doesn’t require user interaction to be triggered. This means anyone visiting your site, not just administrators, could be exposed.

Potential Consequences of an Exploit
- Complete Site Takeover: Attackers could create new admin accounts and seize full control of your website.
- Data Theft: Sensitive information like user credentials, financial records, and even your website’s content could be stolen.
- Website Defacement: Attackers could alter the appearance of your site, inject further malicious code, or display unauthorized content.
- Persistent Backdoors: Malicious actors might install backdoors to ensure continued access even after the initial vulnerability is patched.
Taking Action to Secure Your Website

The most critical step is to update the Gutenberg Blocks by Kadence Blocks plugin to the latest version immediately. This update addresses the vulnerability and safeguards your website.

CleanTalk’s Commitment to WordPress Security

At CleanTalk, we are relentless in our pursuit of discovering and disclosing vulnerabilities to protect the WordPress community. We strongly encourage all website owners to prioritize regular security updates and implement additional security measures like:
- Regular Vulnerability Scans: Proactive scanning helps identify and address potential threats before they are exploited.
- Least Privilege Principle: Grant users only the permissions necessary for their roles to minimize damage in case of a compromise.
- Security Plugins: Consider using security plugins that offer features like malware scanning, firewalls, and real-time threat monitoring.
By working together, we can create a safer and more secure WordPress ecosystem for everyone.

Stay vigilant. Stay secure.
June 24, 2024
Mitigating WordPress.com API Vulnerability
Attention WordPress website owners! We’re excited to announce that the CleanTalk Security Plugin now effectively addresses a well-known vulnerability involving the WordPress.com API.

This vulnerability, previously discussed here, allowed unauthorized actors to potentially trace administrator usernames through a public API endpoint. While disabling the REST API entirely would be ideal, it wasn’t always a viable option for many websites.

The CleanTalk Team Steps Up

We understand the critical nature of this vulnerability and the potential security risks it poses. Our development team has been working diligently to implement a comprehensive solution within the CleanTalk Security Plugin.

This update delivers:
- Enhanced User Data Protection: CleanTalk can now effectively block attempts to exploit the exposed API endpoint, safeguarding your administrator username and other sensitive user data.
- Improved Overall Security: This fix is just one piece of the puzzle. CleanTalk Security offers a robust suite of security measures to keep your website safe from a wide range of threats.
What You Can Do
1. Update Your Plugin: Ensure you’re running the latest version of the CleanTalk Security Plugin to benefit from this critical fix and ongoing protection.
2. Review Your Security Practices: Consider implementing additional security measures like strong password policies and user access restrictions for an extra layer of defense.
CleanTalk: Committed to Your Security

We at CleanTalk are dedicated to providing the best possible security for your WordPress website. We continuously refine our plugin to address both emerging and long-standing vulnerabilities.

For further information on CleanTalk Security and its capabilities, please refer to the plugin’s documentation.

This revised announcement emphasizes the team’s effort in resolving a known issue and highlights the broader security benefits of the CleanTalk Security Plugin.
June 13, 2024