When the backdoor lives in the database: hunting a persistent WordPress compromise
· incident-response, wordpress, mysql, persistence, malware-analysis
I inherited a neglected WordPress site that had quietly turned into an SEO spam farm. Cleaning files, deleting rogue admins, enforcing 2FA and rotating secrets all failed — the persistence lived one layer below the application, in a malicious MySQL trigger.