WPPlugins AtoZ

Powered by WPPro AtoZ Host

From Rogue Admins to Clicker Games: Real Talk on WP Plugins & Infrastructure – Plugin Pulse: WP Plugins A to Z Unplugged #17

0:00 / 0:00
From Rogue Admins to Clicker Games: Real Talk on WP Plugins & Infrastructure – Plugin Pulse: WP Plugins A to Z Unplugged #17

Donate to the Show


cards
Powered by paypal

Watch The Video

TLDR Summary of Show

In this episode of Plugin Pulse, we tackle pressing WordPress realities head-on. A sophisticated supply chain attack hit OptinMonster, TrustPulse, and PushEngage via tampered CDN JavaScript files, silently creating rogue admin accounts and backdoors on potentially 1.2 million sites. The payload exploited logged-in admins’ sessions, underscoring how upstream vendor compromises can bypass even up-to-date plugins. We break down the mechanics, IOCs, remediation steps, and broader lessons for supply chain vigilance.
We also explore how AI bot traffic has evolved from an SEO annoyance into a serious infrastructure burden. Kinsta’s analysis of billions of requests shows aggressive crawlers hammering dynamic endpoints, exhausting PHP threads, inflating bills, and distorting analytics. We review practical bot protection plugins like BotBlocker Security, Wordfence, Blackhole for Bad Bots, and Block AI Crawlers, plus core maintenance with WordPress 7.0.1 RC1—packed with bug fixes for compatibility, accessibility, media tools, and the block editor.
For some lighter relief, we spotlight the satirical “Install Clicker” game that humorously captures the grind of running a plugin business. Plus, we highlight upcoming interviews, community ways to get involved, and reminders about Tavern Talk at the Rogue’s Oasis. It’s unplugged, practical talk for devs, site owners, and everyone keeping the WP ecosystem strong.
See you in the dashboard… if you can still find it under all those menus. 🚀🐉

This Shows Featured Promotion

No Featured Promotion this show

Full Show Notes

Doing a weekly podcast can sometimes be a challenge to come up with content week after week, but lets get it started.
This week I am babbling about:
today we’re wading straight into the grit of supply chains under siege, AI bots taxing your servers, essential bot protection tools, a cheeky satirical game every plugin dev needs to try, and the latest maintenance release keeping WordPress stable. Grab your coffee, fire up the dashboard, and let’s get into it — unplugged, unfiltered, and straight from the source.
We are doing something new and make this more interactive you can join the Google Meet limit 2 ppl at a time this will continue for the next while and see how it goes.
Remember you can Join me Live on Show-days Mondays at 12pm PDT by going to https://wppluginsatoz.com/live and clicking the link to this shows Google Meet Link which goes live at showtime.
You can also join me now on Tavern Talk at the Rogues Oasis — where the fire crackles, the ale flows, and straight talk cuts through the night like a rogue’s blade at the Devil’s Crossroad.
We’re back, friends — raw, unfiltered conversations rooted in the wild trails of Vancouver Island and the timeless fight for self-reliance. From homesteading grit and pantry wisdom to the inner wilderness of faith, soul, and everyday storms, we pull up a stool with real talk that arms you for the days ahead.
Live to tape every Sunday ay 7pm PDT
Pull up a chair, grab your mug, and join the fellowship. The door’s open — let’s talk truth.

The Weeks Discussions:

WordPress Drama:

Supply Chain Attack on OptinMonster, TrustPulse, and PushEngage: Tampered CDN Scripts Auto-Creating Rogue Admins
Summary :
This incident is a textbook reminder from the pioneer days of web tech: your site’s security chain is only as strong as its weakest external link. Even fully updated plugins became vectors because the compromise lived upstream on the vendor’s CDN. Over 1.2 million sites were potentially exposed, with attackers planting hidden admins and web shells. Patchstack blocked hundreds of exploitation attempts, but the real fix starts with auditing your own sites. Check for suspicious admin accounts, unfamiliar plugins in wp-content, and rotate credentials if anything looks off. Vendor disclosures and cleanups help, but self-reliance in verification remains key in the WordPress ecosystem.
Supply Chain Attack Hits OptinMonster, TrustPulse, and PushEngage via Tampered CDN Scripts
Back in the early days of the web, we learned the hard way that trusting third-party scripts and delivery networks could open doors we never meant to leave ajar. Fast-forward to June 2026, and that lesson hit home again in a sophisticated supply chain attack targeting popular WordPress marketing tools from Awesome Motive: OptinMonster, TrustPulse, and PushEngage.
Attackers didn’t poke holes in the plugins themselves. Instead, they compromised a CDN API key after exploiting a vulnerability in UpdraftPlus on the vendor’s marketing site. This let them tamper with front-end JavaScript SDK files served to over 1.2 million sites. The malicious code appended to legitimate minified scripts like api.min.js and the PushEngage SDK. It lay dormant until a logged-in admin loaded an affected page in their browser. Then it sprang into action—using the admin’s own session and nonces to silently create rogue administrator accounts (both fixed “developer_api1” and randomized “dev_xxxxxx” variants) and install a stealthy backdoor plugin disguised as something innocuous like “Content Delivery Helper.”
The payload was clever: environment checks to dodge sandboxes and researchers, nonce harvesting from REST API or admin pages, multiple creation vectors (REST, forms, AJAX, iframes), filesystem hiding for the backdoor, and exfiltration to a C2 domain. It weaponized the admin’s browser rather than hitting the server directly, making the requests look perfectly legitimate at the network level. The exposure window was short—mainly June 12-14, 2026—but the impact lingered for any sites where an admin visited during that time.
Further Reading & Links:
We’ll discuss practical checks, what this means for relying on marketing/engagement plugins, and broader lessons for supply chain hygiene on the show. What angle should we expand next—remediation steps, similar past incidents, or listener Q&A?

WordPress News and Items:

WordPress 7.0.1 RC1 is now available
Summary for the Show:
WordPress 7.0.1 RC1 is classic maintenance done right: no flashy new features, just important fixes for compatibility, accessibility, editor smoothness, and media handling. Perfect timing to test in staging, especially if you run on PHP 8.5 or lean heavily on blocks/Gutenberg. For plugin developers, this is your cue to verify compatibility and update any edge-case handling. Small releases like this keep the ecosystem healthy and remind us of the steady, collaborative work that powers the web. Test early, report issues, and help ship a smoother 7.0.1.
WordPress 7.0.1 RC1 Drops – Maintenance Time for Stability
Back in the pioneering days of the web, every new release was a mix of excitement and careful testing—because even small changes could ripple across thousands of sites. That careful rhythm continues today with WordPress 7.0.1 Release Candidate 1 (RC1), now available for testing. This is a focused bug-fix and maintenance release following the 7.0 launch, targeting issues introduced in the 7.0 cycle or intentionally deferred. Final release is slated for July 9, 2026 (subject to testing feedback).
How to Test:
What’s Inside (Key Fixes):
This RC1 includes a solid batch of targeted improvements:
  • Twemoji handling tweaks
  • PHP 8.5 compatibility (array access fix)
  • Image editor and media library polish (scaling, cropping, spinner alignment, lightbox accessibility)
  • Admin reskin and mobile form standardization
  • Block editor and Gutenberg updates (revisions accessibility, blockGap parsing, navigation, custom HTML, visibility rules, and more)
  • CSS and emoji script fixes
  • Publishing button layout and search bar positioning in the media library
Led by release folks including @jorbin, @cbravobernal, @estelaris, and @masteradhoc, with plenty of community testing and patches. It’s all about tightening things up so your sites—and the plugins running on them—stay reliable.
Links:
This pairs well with our bot protection and infrastructure discussions—staying current on core keeps everything else running smoother. Thoughts from the community on these fixes, or plugin impacts to cover? Let’s hear it!

Some SEO Stuff:

Why bot traffic is now an infrastructure problem (not just an SEO problem)
Summary for the Show:
Bot traffic has crossed a threshold: it’s no longer just about crawl budgets or SEO signals but about server threads, database load, and hosting economics on WordPress. With AI crawlers driving massive dynamic requests, site owners face higher bills, unreliable metrics, and performance hits that don’t show up as traditional attacks. The fix demands smarter tools—rate limiting, classification, and policy decisions tailored to your site type—rather than blanket blocks. This is the new reality for anyone running WP in production: treat infrastructure as the frontline of bot management, or watch your resources (and customers) suffer quietly.
Why Bot Traffic Is Now an Infrastructure Problem (Not Just an SEO Issue)
In the early web days, we tinkered with crawlers and indexing like curious builders laying the first bricks of search. Googlebot and friends politely mapped our sites, and that was mostly it. But today, in 2026, the landscape has shifted dramatically. What started as an SEO concern—managing bots for better rankings—has evolved into a full-blown infrastructure headache for WordPress sites, especially those running dynamic setups like WooCommerce.
Kinsta’s deep dive, based on analyzing over 10 billion requests across their managed hosting, paints a clear picture. AI crawlers and automated bots have exploded in volume. GPTBot alone surged over 300% in a year, with AI bots jumping from roughly 1 in 200 visits to 1 in 31 by late 2025. These aren’t just polite indexers anymore. They hammer uncached, dynamic endpoints—think cart pages, filtered products, search queries, and AJAX calls—that force your server into real PHP work: reserving threads, querying databases, and handling sessions. One ClaudeBot example? 3.75 million add-to-cart requests in a single 24-hour period. Another loop generated 550 million requests over 30 days. That’s not abstract; it exhausts resources, inflates bills, queues legitimate users, and leads to slow loads or errors for real visitors.
The old “block bad bots, allow good ones” model breaks down here. AI training crawlers and inefficient loops get stuck in URL variations (parameters, sessions, filters), bypassing caches and treating every tweak as fresh content. This distorts analytics, drives up hosting costs on visit-based plans, and turns bots into a silent tax on performance. Kinsta responded with bandwidth-based plans and built-in bot protection that classifies traffic (verified bots, likely humans, automated, etc.) with tunable levels—striking a balance so you don’t nuke Googlebot visibility while curbing resource hogs.
Further Reading & Links:
This pairs well with our recent supply chain discussion—both highlight how external dependencies (CDNs, bots) now directly impact core site stability. Thoughts on covering specific mitigation plugins or hosting tweaks for the episode?
Exploring WordPress Bot Protection
Summary:
No single plugin rules them all, but the right mix lets you classify and control bots without breaking search visibility or e-commerce flows. Focus on early interception for performance (BotBlocker), deep visibility (Wordfence), or targeted traps (Blackhole/Block AI). Test in staging—monitor PHP threads, logs, and real-user impact. In this AI-heavy web, bot protection is now core infrastructure hygiene, not just a security checkbox. Combine plugins thoughtfully with hosting/CDN features for the best results.
Exploring WordPress Bot Protection Plugins for the AI Era
Back when the web was young, we dealt with simple crawlers that followed rules and helped build the searchable internet. Today, with AI bots flooding in—often ignoring polite signals and hammering dynamic resources—WordPress site owners need smarter defenses. These plugins go beyond basic security to tackle infrastructure strain from aggressive crawlers, scrapers, and loops.
Standout Options:
  • BotBlocker Security: A dedicated firewall that intercepts threats early (before full WordPress loads) with multi-layer protection. It excels at AI/LLM crawler management—allowing or blocking specifics like GPTBot, ClaudeBot, and PerplexityBot via verified IP ranges. Features include advanced CAPTCHAs, brute force protection, fake crawler detection via FCrDNS, live traffic monitoring, and WooCommerce payment bypasses. Lightweight with low overhead; free core is robust, with PRO for cloud intel. Great for performance-focused sites.
  • Wordfence Security: The veteran all-in-one with a strong endpoint firewall, real-time blocking, and live traffic views that shine for spotting bot patterns. It handles rate limiting, country blocks (Premium), malware scanning, and integrates well for ongoing threats. Excellent visibility into who’s hitting your site, including aggressive crawlers. Ideal if you want comprehensive security bundled with bot tools.
  • Blackhole for Bad Bots (by Jeff Starr): A clever, lightweight trap. It adds a hidden “blackhole” link that good bots (respecting robots.txt) ignore, but bad ones follow—triggering an instant block. Simple, effective for resource hogs and scrapers with minimal overhead. Pro version adds more features.
  • Block AI Crawlers: Ultra-focused and set-it-and-forget-it. Automatically updates robots.txt to disallow dozens of AI training bots (GPTBot, Claude, etc.). No settings needed—perfect lightweight companion for content owners prioritizing control over scraping without full firewall complexity.
Other notables include CleanTalk Anti-Crawler for anti-flood and behavior-based blocking, and Shield Security with its AntiBot Detection Engine for behavioral analysis. Many pair these with hosting-level tools (like Kinsta’s Bot Protection) or Cloudflare for layered defense.
Further Links:

V for V for the show

Make mention here about the “Revival of The Tavern at the Oasis” Podcast  fid the episodes here https://theroguesoasis.com/tavern-talk-podcast-show/ or find us in your favourite podcast app. 
If you get any value out of this show then donate that value back to the show. You can do so through time, talent, or treasure – or all 3!! – through our website wppluginsatoz.com.
Click on the ‘Treasure Donations’ link on the left-hand menu, or on the ‘Time, or Talent‘ pages to find out more!
Sign up for newsletter https://wppluginsatoz.com/news

Security Stuff:

WordPress Malware Removal
Invisible Hacks, Cloaking Attacks & Why Your Scanner Might Be Blind
In the early web days, we quickly learned that what you see isn’t always what search engines or attackers see — a lesson that still stings in 2026. Aditya Arsharma shared a sobering personal story: his own site was compromised for 11 days with cloaking malware. To regular visitors, the scanner, and even himself, everything looked perfectly clean. To Googlebot, it served gambling spam in a foreign language, quietly tanking rankings while the dashboard showed green.
The attack was sophisticated: user-agent-based cloaking (serving different content to bots vs humans), payload hidden outside wp-content, a tiny backdoor file for re-entry, and no obvious plugin vulnerability — likely a stolen password. Scanners living inside WordPress simply can’t see what’s served only to crawlers, database infections, or certain premium plugin code. Aditya backs this up with sobering stats: ~30k sites hacked daily, 91% of new vulns in plugins, SEO spam on 42% of infected sites, and Japanese keyword cloaking as a top infection.
He responded by building (and open-sourcing) a new malware removal tool that thinks like Googlebot and an attacker: full server scans, log analysis, Googlebot user-agent testing, safe quarantining, and core file verification from official sources. It’s designed to overcome the blind spots of traditional scanners. He also teased future multi-site capabilities via SproutOS.
Summary for the Show:
This is a powerful reminder that modern WordPress security demands looking beyond the dashboard. Cloaking attacks exploit the gap between what plugins see and what the wider web sees. Combine good scanners with manual checks (Googlebot user-agent testing, full-server scans, log review), strong password hygiene, and tools that inspect from the outside. Aditya’s open-source project is a welcome addition to the toolkit. Test your own site today — if Google and your scanner disagree, trust Google. Great discussion fodder for supply chain risks, bot behavior, and proactive defense.
Further Links:

Educational:

Best 30 Web Development Podcasts in the US
MillionPodcasts.com maintains a curated ranking of the Best 30 Web Development Podcasts in the US (as of early July 2026). The list highlights active shows with details on hosts, listener demographics (mostly US-based developers, entrepreneurs, and engineers), average episode length, Apple ratings, and contact info for potential collaborations or outreach. Top entries include North Meets South Web Podcast (Jake Bennett & Michael Dyrynda), Web Design Business with Josh Hall, WP Tavern Jukebox (Nathan Wrigley), Syntax (Wes Bos & Scott Tolinski), and The Bike Shed. Many focus on practical web dev topics, WordPress, frontend frameworks, business advice for designers/devs, and open-source discussions.
The directory serves as a useful discovery and networking resource for the broader web development community, emphasizing shows with strong engagement and recent activity. It includes a mix of general web dev, framework-specific (Ruby, Angular, Django), and WordPress-adjacent podcasts. For Plugin Pulse listeners, it’s a great way to explore complementary shows like WP Tavern Jukebox or others covering business, security, and tooling in the ecosystem. Overall, the page underscores the vibrant, ongoing conversation in web development podcasting.

Tip of The Day:

Satirical game on the realities of running a plugin business [FREE]
Warning it mildly addictive…
Satirical Take on Plugin Business Life + “Install Clicker” Game
In the early web days, we built, broke, and rebuilt things with a healthy dose of humor and grit—because running your own corner of the internet was equal parts pioneering adventure and chaotic reality. That spirit lives on in today’s WordPress plugin ecosystem, where developers juggle code, support, marketing, updates, and the endless “just one more feature” pull. A fresh satirical gem captures exactly that.
Satirical Game on the Realities of Running a Plugin Business [FREE]
Reddit discussion:
Warning: It’s mildly addictive.
Quick Rundown & Review:
“Install Clicker” delivers a clever, tongue-in-cheek simulation of plugin business life. Click your way through installs, chase updates, wrangle support tickets, dodge scope creep, and navigate the highs and lows of trying to keep a product alive in the WP ecosystem. It satirizes the grind—revenue dips, feature requests, maintenance marathons—with just enough idle mechanics to keep you coming back “for one more cycle.”
Lightweight, browser-based, and free, it lands as both entertaining distraction and oddly therapeutic mirror. For plugin devs and agency folks, the humor hits close to home without being mean-spirited. It’s the kind of creative outlet that reminds us why we tinker: the satisfaction of a well-running site (or game) and the camaraderie in shared struggles. Perfect share for the community—could spark great interview stories or Tavern Talk reflections on sustainability, burnout, and the fun side of building in public.
This fits right alongside our recent infrastructure and security chats: the plugin world demands resilience, smart tools, and a sense of humor. Have you played Install Clicker? What part of the satire rang true (or hilariously exaggerated) for your plugin journey? Drop thoughts in the comments or bring them to an upcoming interview—we’re booking more developer and community conversations now. Keep shipping, keep laughing, and stay curious out there.

Upcoming Interviews and Available times:

     Reminder that we have more interviews coming up in the coming weeks with more developers and community members https://wppluginsatoz.com/book-an-interview-on-wp-plugins-a-to-z-podcast/
Upcoming Interviews: Marcin Dudek July 13 and Marcus Burnette on July 27
Available interview dates:   Aug 24th  and Sept 21, 2026.

Other Shows and places to get WP Info & Training

The WP Builds Podcast
WP Roads
WP-Tonic
Worlds Worst Web Developer
WP Mayor
wp Minute
The WP Week newsletter
Kitchensink WP

Table of Contents

Affiliate Links
  • Termageddon Use Termageddon to help comply with privacy laws such as the CPRA, GDPR, UK DPA, CalOPPA, PIPEDA, and more. They will also help you comply with consumer protection laws, provide eCommerce disclosures, and limit your liability. Click on our link here!
    Termageddon
  • Rank Math Rank Math is a fantastic company to work with on your sites SEO. The Free version will give you everything you need to get started and get your SEO up to a place where you will get noticed! The Premium version is like getting VIP Treatment when it comes to the tools available. The documentation they have available is in easy to read, every day language so that it does not require a degree to understand how to use the tools!
    Rank Math
  • Bunny.net Quick easy CDN that is affordable. Great prices, easy to use! Click on our link here!
    Bunny.net
  • Glow WP Maintenance Manager Use coupon code WPPAZ10 10% discount on their subscription, for life.
    Glow WP Maintenance Manager

Your Hosts

John Overall

Over 16 years a counting for WP Plugins A to Z more about John click this.

Amber Linn

Since 2020 Amber has been making WP Plugins A to Z the place to be more about Amber click this.

Highlighted Links
Categories
Archives

WP PLUGINS A to Z

SUBSCRIBE to the WP Plugins A to Z newsletter and get exclusive insights delivered straight to your inbox. – DON’T MISS OUT!

We don’t spam! Read our privacy policy for more info.

Book an Interview on WPPluginsAtoZ

If You're a Plugin/Theme Developer or WP Community Member

Book your interview now.