We’re excited to launch the first-ever Monthly Security Update on WebHosting.Today, we couldn’t be more pleased to do it alongside three of the most respected names in hosting and WordPress security, Blackwall as a returning Diamond sponsor, with Monarx and Patchstack, now joining WebHosting.Today, as Gold Sponsors.

This is more than a new content series. It’s a commitment.

As threats continue to evolve across hosting platforms, WordPress environments, and cloud infrastructure, security can’t be treated as an afterthought or a reactive checkbox. It has to be ongoing, practical, and informed by the people who are actively fighting these threats every day. By bringing Blackwall, Monarx, and Patchstack together, we’re creating a monthly security briefing that blends real-world threat intelligence, actionable insights for hosts and agencies, and clear guidance for protecting modern hosting stacks.

Each month, this update will break down what matters most, emerging attack patterns, vulnerabilities to watch, mitigation strategies, and what hosting providers should be doing right now to stay ahead. No fluff, no fear marketing, just informed perspectives from teams on the front lines of security.

We’re proud to kick off 2026 with this collaboration with sponsors who share our mission, raising the bar on education, transparency, and security leadership across the hosting ecosystem.

Welcome to WebHosting.Today’s Monthly Security Update.

Traffic Management in 2026

Over the past decade, hosting service providers have faced a persistent challenge:

  • Security is not a one time activity
  • How to manage continuous and evolving threats
  • Small and mid-sized providers traditionally lack the dedicated R&D resources
  • The security gap between what is required and what is practical has never been wider

This resource gap led to the rise of the outsourced security model. Providers were compelled to route their traffic, their most valuable asset, to a handful of global “black box” platforms that often bundled content delivery (CDN) with Web Application Firewalls (WAFs).

This model worked well for a while and yet inevitably it created a dependency trap. Providers, in many cases, became resellers for monopolistic big techs, sacrificing margins, customer relationships, and service independence.

Today, that model is collapsing. The threat landscape is accelerating, now driven by AI. In 2024 alone, nearly 8,000 new vulnerabilities were discovered, and 43% of them could be exploited without any authentication.

These aren’t just code flaws; they are new, open doors for automated, AI-driven threats (like bots and API abuse) that overwhelm the often static, rules-based WAFs of the legacy cloud model. This situation presents a turning point. Providers can either continue to operate within the limitations of the old model or seize this moment to reclaim their traffic.

A new, provider-centric paradigm is now essential. It’s a framework that shifts control from the monopoly back to the provider’s infrastructure. It is a blueprint for turning security from a cost center into a high-margin revenue stream.

That’s why Blackwall is running the Web Traffic Management Survey. Not to produce another generic report, but to capture real, practical input from people who deal with web traffic every day. Responses are anonymized, and participants get access to the final findings.

👉 Take the Blackwall: Traffic Management Survey

WP Security Helper – The Stealth Backdoor Infecting 70,000 WordPress Sites 

A fake WordPress plugin called “WP Security Helper”, discovered by the Monarx security research team, has silently compromised over 70,000 sites. The malware uses encoded strings such as \\165\\163\\x65\\x72\\x73\\x2e\\160\\150\\160 and PHP goto logic to evade scanners while hiding attacker‑created accounts—whether five or more—by showing only the logged‑in administrator. It also falsifies the dashboard user count to “1” even when 10 hidden admin accounts exist.  

To maintain stealth, the plugin removes itself from the Plugins list unless a secret parameter is provided. Monarx warns that immediate action is needed for any site potentially affected by this 70,000+‑site botnet.  

What to Do 

  • Force‑logout all sessions to terminate unauthorized access. 
  • Reset all administrator passwords across the site and implement CAPTCHA to protect senstive endpoints such as your login & registration pages. 
  • Consider implementing 2FA for all Administrators. 
  • Rotate all KEYS in wp-config.php (including salts).  
  • Manually delete the malicious plugin folder via FTP/sFTP/SSH:
    /wp-content/plugins/wp-security-helper/  
  • Audit the wp_users table for any accounts you did not create.  

The Fake “HTTP2 Basic Cache Engine” Plugin and its Variations 

A new campaign discovered by the Monarx security research team involves a fake WordPress plugin named HTTP2 Basic Cache Engine, deployed across more than 100,000 websites using compromised admin credentials. Once installed, the plugin drops a heavily obfuscated JavaScript backdoor but first performs multiple stealth checks to avoid detection, doing nothing if the visitor is an admin, a bot such as baidu or semrush, or accessing technical paths like wp-admin, wp-login.php, xml, robots.txt, or js files.  

If those checks pass, the script contacts a rotating list of Base64‑encoded C2 URLs, fetches malicious code via AJAX, and injects it into the site through the wp_footer hook. The payload then enables malicious redirects, ad injection, or credential theft, supported by self‑healing logic that automatically switches to the next C2 domain if the first one becomes unavailable.  

What we suggest doing to stay secure:  

  • Remove the fake HTTP2 Basic Cache Engine plugin immediately if present.  
  • Check for injected JavaScript inside core files and database entries.  
  • Review admin login logs for evidence of compromised credentials. 
  • Reset all administrator passwords across the site and implement CAPTCHA to protect sensitive endpoints such as your login & registration pages. 
  • Consider implementing 2FA for all Administrators. 
  • Inspect outbound traffic for connections to the Base64-decoded C2 domains.  

Analyzing the ‘Fake Browser Updates plugin’ Campaign: A Deeper Dive 

A new malware campaign analyzed by the Monarx security research team involves a fake WordPress plugin designed to display fake browser update pages specifically to WordPress administrators. The attack relies on compromised credentials harvested from large credential databases to install a maliciously altered plugin file, which then downloads and executes JavaScript from persistancejs.store. The payload is visible only to administrators and uses the User-Agent to decide what type of fake update to show. Once triggered, it renders a fake Java update page, and clicking the update button downloads an installer.exe from secure-java-update.com, infecting the victim with a Windows Remote Access Trojan. The domain secure-java-update.com has since been taken down.  

Monarx also traced attacker infrastructure through observed IP traffic involving multiple related fake plugin variants, including several versions of modern-recent-posts.php, plugin.php, and ZIP archives distributed from IPs such as 195.133.44.149 and 185.177.59.104. These payloads included multiple SHA256‑identified variants, demonstrating that the same infrastructure distributed several malicious plugins simultaneously. The campaign shows that the operators behind the fake browser updates plugin were also pushing additional malicious payloads in parallel.  

What to Do:  

  • Remove any unexpected plugins resembling modern-recent-posts or other unfamiliar plugin files.  
  • Check for outbound requests to persistancejs.store and secure-java-update.com.  
  • Audit administrator accounts for signs of compromised credentials.  
  • Reset all administrator passwords across the site and implement CAPTCHA to protect sensitive endpoints such as your login & registration pages. 
  • Consider implementing 2FA for all Administrators. 
  • Inspect core and plugin directories for suspicious PHP files or ZIP archives and review your access.log entries tied to IPs such as 195.133.44.149 and 185.177.59.104.  
  • Scan affected administrator devices for potential RAT infections if the fake update prompt may have been clicked.  

Fake Wordfence MU-Plugin – A Deep Dive into a Nasty Backdoor 

Monarx Security Research team found a sophisticated malicious “Must-Use” (MU) plugin cleverly disguised as Wordfence Security which has been deployed to more than 52,000 websites. This isn’t just a simple piece of malware; it’s a multi-stage attack designed to grant attackers persistent access, steal administrator credentials, and exfiltrate sensitive server data. The plugin grants bad actors access to the site as Administrator, basically impersonating a valid user from your site. Then it implements a system to intercept credentials and then exfiltrates the username and password (along with other server information) to the following URL:

hxxps://phnwcloud[.]qpon/myweb3/web/saveDomains.php?p=[timestamp] 

Monarx observed this fake Must-Use plugin was being dropped via a fake plugin which was stored on the directory /wp-content/plugins/up/. And was actively accessed by IPs such as 23.247.137.197, 203.27.106.243 & 203.27.106.245. 

What to Do:  

  • Review the folder /wp-content/mu-plugins/ and remove any unfamiliar plugin files.  
  • Review your logs for HTTP POST requests to any file within the folder /wp-content/plugins/dd/ or from any request from the IPs that we shared earlier. 
  • Audit administrator accounts for signs of compromised credentials.  
  • Reset all administrator passwords across the site and implement CAPTCHA to protect sensitive endpoints such as your login & registration pages. 
  • Consider implementing 2FA for all Administrators. 

Major Security Gap Revealed: Only 26% of WordPress Vulnerabilities Blocked by Web Hosts

New research from Patchstack exposes a critical weakness in web hosting security, finding that leading hosting providers blocked just 26% of WordPress vulnerability exploits tested – even when using popular security solutions like Imunify360, Monarx, and Wordfence.

The study tested 30 real-world WordPress vulnerabilities across multiple hosting providers, revealing that server and network-layer security tools struggle to protect against application-layer threats.

“The results of this research are not that surprising – server and network layer solutions are simply not effective at catching application layer threats,” said Mart Virkus, Head of Marketing at Patchstack. “One thing that stood out though was the huge performance differences of hosting companies who used the same security suites.”

The research revealed that custom internal WAFs performed better against generic vulnerabilities than commercial solutions, but “pretty much nothing worked against WordPress-specific vulnerabilities,” according to Virkus.

Perhaps most concerning, many hosting providers may be unaware of these gaps. “I think most of them genuinely thought their existing solutions were protecting their customers,” Virkus noted. “Though based on two studies we’ve done now, this just isn’t the case.”

The findings suggest hosting companies need WordPress-specific, application-layer security solutions to adequately protect their customers.

ModularDS 0-day exploitation

A critical zero-day vulnerability in the Modular DS WordPress plugin was disclosed last month after being actively exploited in the wild, putting more than 40,000 WordPress sites at risk. The issue allowed attackers to gain administrator-level access without authentication, giving them the ability to fully compromise affected websites.

Modular DS is a widely used plugin for managing WordPress sites, which made the impact of the vulnerability particularly severe. Successful exploitation could allow attackers to create unauthorized admin accounts, alter site content, or install malicious software, leading to data loss or long-term site Compromise.

The flaw was discovered and reported by Patchstack, which confirmed that exploitation was already underway before disclosure. Given the seriousness of the issue, Patchstack coordinated closely with the Modular DS development team to ensure a fast and responsible response. This collaboration enabled the vendor to move quickly from confirmation to remediation.

A fixed version of the plugin was released within hours, closing the vulnerability and reducing further risk to site owners. Users are strongly encouraged to update immediately and review their sites for suspicious activity. The incident underscores how coordinated disclosure and rapid patching remain essential to securing the WordPress plugin ecosystem.