June 19, 2026
Spam blocker or drama dropper?
From a 7 KB file to a 13-year backdoor operation
A tiny hidden file exposed a 13-year website break-in trail — and the comments got messy
TLDR: A hidden file inside a WordPress spam-check plugin allegedly led to a 13-year backdoor operation affecting websites through dozens of plugins. But in the comments, readers were just as fired up about the article sounding AI-written as they were about the security scare itself.
This story has everything: a tiny mystery file, a fake-looking website helper, a years-long trail of shady plugins, and a comment section instantly swerving into its own side quest. The article’s core reveal is genuinely wild: a harmless-seeming WordPress captcha plugin for blocking spam comments allegedly hid a secret installer that could quietly plant a backdoor on websites, report home, and erase the evidence. What started as one odd 7 KB file snowballed into a claim of one operator using 19 accounts over 13 years. For site owners, that’s the digital equivalent of finding out your front-door lock came with a secret copy of the key.
But the community? Oh, they were less focused on the cloak-and-dagger crime plot than on how the story was written. The hottest reaction was basically: sure, the investigation is juicy, but did an AI write the whole thing? One commenter called it “Definitly AI written” and still admitted it was a fun read, which is almost the internet’s version of a backhanded standing ovation. Another groaned that they got tired of hearing “Claude the whole way through,” and even mocked the idea of asking artificial intelligence to run a simple internet lookup command. In other words: the article uncovered a possible long-running web attack, and the comments immediately turned it into a debate about robot writing, style, and whether the investigator outsourced the detective work to a chatbot. Classic internet: massive security bombshell on stage, and the crowd is heckling the narrator’s vibe.
Key Points
- •The article says a 7 KB `.dat` file removed from the WordPress plugin `wp-advanced-math-captcha` decompressed into a PHP dropper.
- •The decoded payload identified itself as a SiteGuarding tools installer and allegedly wrote `siteguarding_tools.php` into the WordPress root, contacted `apitest.siteguarding.com`, and deleted itself.
- •The article says the same plugin also contained code referencing `image-optimizer-x`, which the author interpreted as a forced-install mechanism for a second plugin.
- •According to the article, `image-optimizer-x` later added `CMSPlughubAPI_LicenseValidator.php`, a 981-line file that contained two hardcoded RSA private keys and a downloader pointed at `api.cmsplughub.com`.
- •The article states the investigation eventually connected 27 older plugins, then 6 more and 9 more, to a single operator using infrastructure across 19 accounts since 2013.