CVE-2026-31431 (Copy Fail) is a Linux kernel local privilege escalation that turns any unprivileged shell into root on essentially every distribution shipped since 2017. Here is how I check it, patch it, mitigate it pre-patch, and understand how the exploit actually works.
Visitors to your WordPress site see a fake 'Cloudflare verification' page telling them to paste a command into Windows Run or Terminal. That's ClickFix, the social-engineering campaign that first appeared in early 2024 and exploded across compromised WordPress sites by autumn. What it does, where the injection lives in your site, and how to clean it without missing the persistence.
The backup plugin running inside WordPress is the same WordPress the attacker just compromised. A 3-2-1 backup strategy with restic or borg, stored outside the trust boundary, and verified by monthly test restores. Configuration, retention, and the exact restore sequence after a compromise.
Wordfence, Sucuri, and every in-WordPress security plugin can be disabled by malware running with the same privileges. The fix is monitoring at a layer the attacker can't touch: AIDE, maldet, or a custom cron-driven script running as root. With working configurations for each.
WordPress security plugins running inside WordPress can be disabled by anything that runs inside WordPress, including the malware they're supposed to catch. The four mechanisms attackers use to silently turn off Wordfence, Sucuri, Jetpack, WP Activity Log, and similar tools, plus the server-side monitoring layer that doesn't depend on WordPress being trustworthy.
wp-config.php is the first PHP file WordPress loads. The defaults from the stock installation are minimal; the hardened defaults take five minutes to apply and close most of the attack surface that lives below the plugin layer. A complete annotated template covering disabled file editing, forced HTTPS, secure salt rotation, debug behavior, and the file permissions that matter.
A cleanup that doesn't identify the entry point is temporary. The methodical access-log analysis that finds exactly which plugin CVE, credential vector, or upload path got the attacker in, with the grep one-liners, the timestamp correlation against file modification times, and the cases where the entry is in a log other than the access log.
Fake administrator accounts that appear in wp_users without anyone creating them are one of the most common signs of a WordPress compromise. The detection SQL, the SQL that finds the mechanism that's creating them, and the cleanup that has to happen at both the user level and the persistence level for the account creation to stop.
Hashcat benchmark numbers for the NVIDIA GeForce GTX 1080 Ti across 152 hash modes, with a modern context: how the 1080 Ti compares to the RTX 3090, 4090, and 5090, and when it's still worth using in 2026.
WordPress malware that survives cleanups isn't stronger malware; it's malware with persistence. A complete catalog of where attackers hide the re-infection logic, wp_options autoload, WP-Cron, server crontab, .htaccess auto_prepend, mu-plugins, drop-ins, custom REST endpoints, and modified wp-config, with detection scripts for each.
If one site in a shared hosting account gets compromised, every other site under the same Linux user is at risk. Cleaning a single site without addressing the shared file system leaves the door open for reinfection from any sibling site. The structural problem and the realistic fixes, open_basedir, suEXEC, isolated users, and when to move hosts.
A step-by-step methodology for finding and removing malware from a compromised WordPress site, written by a Security+ certified engineer who's been cleaning sites since the early WordPress 2.x era. Covers every attack vector: file backdoors, database injections, .htaccess hijacks, wp-config tampering, and recurring reinfection. Originally written in 2016, updated regularly as new patterns emerge.
WPScan v3.8+ usage reference for WordPress security audits: install on Linux/macOS, API token setup, the command patterns that matter (enumerate users, vulnerable plugins, brute force), JSON output, and how WPScan compares to Wordfence, Sucuri, and WPSec.