Three Linux kernel privilege escalations have become public in the past two weeks: Copy Fail (CVE-2026-31431) on April 29, Dirty Frag (CVE-2026-43284 and CVE-2026-43500) on May 7, and Fragnesia (CVE-2026-46300) on May 13. All three turn an unprivileged shell user into root. On shared hosting, any one of them can promote a single compromised customer account into a full-server compromise.

A purpose-built virtual assistant — trained on our own knowledge base — is changing how customers get answers.
When customers reach out for support, every minute matters. A few months ago, we rolled out a new virtual assistant as a web widget across several of our websites and the early results have exceeded our expectations.
Unlike off-the-shelf chatbots, our assistant was built specifically for the customers we serve. We spent months training it on our complete knowledge base, technical documentation, and internal product notes. The goal was not to add another generic chat widget, but to create a digital teammate that understands our products as deeply as our human support team does.

AI agents are becoming a standard hosting workload. Tools like OpenClaw (369,000+ GitHub stars, recently acquired by OpenAI) have moved from developer experiments to production deployments. Hosting customers are installing them on VPS environments, asking for support, and expecting infrastructure that can handle them.

Previously we published a technical teardown of a single malware sample: the "WP Content Optimizer" fake plugin. That analysis revealed a sophisticated backdoor with capabilities ranging from hidden admin creation to blockchain-based payload delivery to systematic security plugin deletion.

Imunify360, ImunifyAV, and ImunifyAV+ now run on Ubuntu 26.04.

Stopping outbound spam keeps your server IPs off blocklists and your customers' mail moving. Inbound spam and phishing is the other half of the problem. It fills customer mailboxes, drives support tickets, and raises the chance that one of your customers hands over credentials to a phishing email.

An attacker gets in through a vulnerable plugin. They drop a backdoor file in wp-content/uploads. In the same session, they write a redirect script into wp_options and a spam link into wp_posts.post_content. A file scanner finds the backdoor. The database UPDATEs stay. The site gets cleaned and still serves pharma spam to search engines the next morning.

During a routine review of Proactive Defense events, our security team noticed widespread activity from what appeared to be a WordPress optimization plugin called "WP Content Optimizer." The plugin header claimed version 3.0.2, authored by "Developer Tools Team," providing "advanced content delivery optimization and site health monitoring."

None of that was true. The plugin is a sophisticated backdoor packed into roughly 1,100 lines of PHP. It creates a hidden administrator account, makes itself invisible, removes security plugins, fights off competing malware, persists through deletion attempts, and delivers encrypted JavaScript payloads fetched from a Binance Smart Chain smart contract.

This post walks through the malware step by step: what it does, how it works, and why it makes the choices it does. We're publishing the full Indicators of Compromise so defenders can check their own environments.

We analyzed an injected copy of Elementor Pro and found three hidden mechanisms that silently hand control of a site's content pipeline to a third-party server. The plugin looks and functions like the original. Only a small code block at the top changes what happens behind the scenes.