Session Export — Rank Math vuln patched (A1 resolved) — 2026-06-01

Importance: High (live-site security) · Status: DONE · Date: 2026-06-01 · Project: Operations + Website

What was done

Confirmed the 2026-05-30 pulse finding against Patchstack: Rank Math SEO free <= 1.0.271 has a Missing Authorization / unauthenticated Homepage Settings Modification vuln (CVSS 5.3), fixed in 1.0.271.1 (disclosed 2026-05-28).
Resolved host drift before touching anything. Vault SSH note still called app21392 the live host (verified 2026-05-22), but production has fully migrated to Vultr. Verified empirically: production = app fctbkwwahp (6360875) on 155.138.233.18, home = <https://aguiarinjurylawyers.com>, was on 1.0.270 (vulnerable). app21392 has no live WP install (migration leftovers only). Staging (emubdqbbhw / 6361384) is stale: WP 6.9.4 vs prod 7.0, Rank Math 1.0.268, content ~5 weeks old.
Skipped the pulse's staging-first step on purpose: staging is too out of sync (different core version) to be a meaningful test gate. Used a backup-based failsafe on prod instead.
Backed up the plugin folder to ~/rankmath-backups/seo-by-rank-math-1.0.270-20260601-193440.tgz (master home, off the docroot).
Updated via WP-CLI over SSH (the reliable lane — REST writes get WAF-spoofed): wp plugin update seo-by-rank-math --version=1.0.271.1.
Flushed object cache + purged Cloudflare (homepage + sitemap).

Verification

Installed version now 1.0.271.1, status active. Rank Math Pro untouched (3.0.111).
Full plugin load via WP-CLI returns clean (no fatal); RANK_MATH_VERSION = 1.0.271.1.
Live homepage re-fetched: HTTP 200, full content, Rank Math meta (title/canonical/description/OG/robots) intact.
Rank Math mu-plugins (sal-rankmath-schema-repair-20260521, sal-rankmath-video-sitemap-compat-20260523, seo-paginated-titles) unaffected.

Rollback (if ever needed)

SSH master@155.138.233.18 → cd ~/applications/fctbkwwahp/public_html/wp-content/plugins && rm -rf seo-by-rank-math && tar xzf ~/rankmath-backups/seo-by-rank-math-1.0.270-20260601-193440.tgz (restores exact prior 1.0.270). Cloudways automated backups also available.

Why the session ended

A1 complete and verified. Stopping for Sam's decision on the remaining deferred items.

Recommended next actions (pending Sam)

A2: Decide fate of legacy DigitalOcean server 1469735 (NYC3) — no longer serves live cname since the 2026-04-19 Vultr migration. Options: verify + final backup + decommission (saves cost), keep as warm rollback 30d, or repurpose as staging.
A3 (optional): Enable Cloudways AI Insights opt-in.