Forem: SephX

Teaching Nova Scan to read what webshells try to hide. Bitop-encoded sink names, polyglot JPG+PHP droppers, socket C2 channels, XSLT-embedded eval, register_globals emulation — all catching now. 24,000-sample stratified training rig running.

SephX — Mon, 20 Apr 2026 03:17:41 +0000

WordPress 7.0 and the 25 Years That Got Us Here

SephX — Sun, 19 Apr 2026 21:46:34 +0000

I downloaded WordPress the day it was released, on May 27, 2003. The web already had Movable Type, Blogger was free, and TypePad had the design crowd locked down, so when a two-developer fork of b2/cafelog showed up with a blog-focused mission and a funny name, I figured it was going to fade out by the end of the year. Twenty-three years later I am writing this post on that same piece of software, which now runs 43% of every website on the internet.

The road from there to here is one of the stranger stories in software history, and WordPress 7.0 is the release that finally feels like the destination the project has been pointing toward since 2003.

Read Full Article

Why Your WordPress Site Redirects to Spam Sites (And How to Find What’s Doing It)

SephX — Sat, 18 Apr 2026 03:53:42 +0000

Your site loads fine when you’re logged in. A visitor from Google lands on it and gets thrown to some pharmacy spam page. Maybe only mobile users get redirected. Maybe it only triggers every third visit.

That pattern is not a cache issue. It’s a conditional redirect injection, and it’s one of the most common WordPress compromises of the last five years. The attacker makes sure logged-in admins see a clean site, because if you saw the redirect yourself, you’d fix it. The whole point is for you not to notice.

Your WordPress site can be fully compromised in 7 minutes. Here's what the attacker does with each one.

SephX — Mon, 13 Apr 2026 15:45:10 +0000

Minute 0 - bot finds your unpatched plugin, drops a 39-byte backdoor disguised as .access.log.php, deletes the dropper. No trace.

Minute 1 - hidden admin account named "WordPress Maintenance" that doesn't show in your user list.

Minute 2 - payload injected into wp_options disguised as a core update transient. Survives a full WordPress reinstall.

Minute 3 - WP-Cron job registered as "wp_site_health_check_update" that re-downloads the backdoor twice a day if you delete it.

Minute 4 - four more backdoors planted across uploads, cache, upgrade, and wp-admin directories. Each uses different obfuscation.

Minute 5 - your debug.log is surgically edited to remove any evidence.

Minute 7 - your site is registered in a botnet database. They know your PHP version, hosting type, and plugin count. Wordfence still shows green checkmarks.

I've cleaned hundreds of sites that followed this exact pattern. Wrote up the full breakdown with real (sanitized) code samples for each step:

How long do you think the average site owner takes to notice they've been compromised?

Why My First WordPress Plugin Is a Free Malware Scanner

SephX — Sun, 12 Apr 2026 17:52:18 +0000

ve been building WordPress sites for 25 years. Twenty-five. I’ve watched the ecosystem go from a bloggers’ toy to the backbone of 43% of the internet. I’ve seen trends come and go, plugins rise and fall, and security threats evolve from script-kiddie defacements to sophisticated, nation-state-grade supply chain attacks.

And through all of it, one thing has stayed frustratingly constant: the security tools that are supposed to protect you are terrible at their job.

Link to Post

WordPress 7.0 Rises April 9 — The Gates Are Open. Are Your Wards Set?

SephX — Mon, 06 Apr 2026 03:55:03 +0000

NOVASCAN - IS 100% FREE. FOREVER. FOR EVERYONE.
(This is not a promotion for paid service or product).
This is my gift to all of you.

Every new age of WordPress opens gates — and through those gates, not all who enter come with good intent.
Patchstack recorded 11,334 new vulnerabilities across the WordPress realm in 2025. The time between a weakness being revealed and the first strike? Five hours. That's the window. Five hours between disclosure and darkness reaching your doorstep.

The old protections — signature scrolls, static ward lists — were written for a slower enemy. The corruption has evolved. It shapeshifts. It encodes itself in layers of obfuscation that no regex tome can catalog fast enough.

I am SephX — builder, keeper, architect. For 25 years I have walked the web, raising sites from raw code, defending them from what lurks in the shadows. I've cleaned infections at midnight. I've watched "industry-leading" sentinels stand idle while encoded backdoors burrowed deep into sanctuaries they were sworn to protect.

I grew weary of the failing wards. So I forged new ones.
Nova Scan is a guardian born from the N-Dimension — not a list of known curses, but an intelligence that reads the intent behind the code. It studies behavior, structure, entropy. It recognizes corruption even when it wears a mask never seen before.

https://novaheaven.io 

The seven pillars of Nova Scan's protection:

The NDE Oracle — a trained mind that discerns malice by pattern, not memory alone
The Living Ward (WAF) — rules that flow from a central sanctum to every protected site, updating without mortal intervention
The Community Covenant — a shared feed of verified clean hashes, crowdsourced across all who carry Nova Scan's blessing
The Watchers — IP reputation sentinels drawing from aggregated threat intelligence
The Vigil — file integrity monitoring that sounds the alarm when anything stirs that shouldn't
The Quarantine Vault — threats are contained, not destroyed, so the keeper may study what was sent against them
The Local Oath — all scans run on your ground. No files ascend to foreign clouds. Your code never leaves your temple.

Nova Scan is a gift, not a toll. Free. Not the hollow kind where the true power is locked behind gold. The scanner, the ward, the feeds — all granted upon registration.
It is the first guardian of a greater dominion: Nova Heaven.
Nova Core is the foundation — the shared covenant that binds everything together.

https://novaheaven.io

This is not the work of a guild or a merchant house. It is one architect, 25 years deep, building from Tennessee with faith and fire. For the people who keep the web alive.
WordPress 7.0 approaches. The gates will open. The question is not whether darkness will come — it always does.
The question is whether your wards are ready.

Hint:

https://novaheaven.io