Objective

Take over the WordPress spam injection handoff, contain public exposure, identify the likely backdoor, preserve evidence, and leave a pickup-ready record.

Accomplished

• Built a local evidence folder at /Users/samaguiar/Documents/Projects/admin/security-incidents/wordpress-spam-injection-2026-06-12/.
• Confirmed 60 spam posts, IDs 72343 through 72402, with casino/gambling slugs and outbound spam content.
• Identified malicious WPCode snippet 72065, created 2026-06-09, author user ID 8, exposing arbitrary PHP execution through ?seonc=.
• Backed up the malicious snippet to wpcode-72065-malicious-snippet-backup.txt.
• Disabled and neutralized WPCode snippet 72065 through wp-admin UI: inactive, auto-insert off, on-demand location, inert code body.
• Verified final public state: homepage 200 and clean, all 60 spam URLs 404, sitemap endpoints 200, and ?seonc= marker not executed.
• Wrote INCIDENT-REPORT-wordpress-spam-rce-2026-06-12.md and spam-url-removal-list.txt locally.

Key Decisions

• Did not restore or preserve active execution of the malicious WPCode snippet on production.
• Did not directly write published WordPress post_content.
• Did not rotate app passwords or force logout sessions during this pass because that could break active workflows and needs a short coordinated cutover.
• Treated draft/trash movement of the 60 spam posts as concurrent external/admin activity, not an action performed by this session.

Evidence

• all-spam-url-statuses-after-ui-disable.csv: all 60 spam slugs returned 404.
• homepage-googlebot-final.html: final Googlebot homepage fetch, spam markers absent.
• sitemap-status-final.csv: sitemap index, post, page, category, and video sitemap endpoints returned 200.
• seonc-final.html: exploit marker absent.