Objective

Run a read-only security monitor for aguiarinjurylawyers.com after the June 12 WordPress spam/RCE incident, restricted to the live Cloudways Flexible/Vultr WordPress root at /home/1615235.cloudwaysapps.com/fctbkwwahp/public_html.

Evidence gathered

• Loaded the local vault and connected only to the live Flexible/Vultr host.
• Verified the live root and WordPress context: hostname 1615235.cloudwaysapps.com, path /home/1615235.cloudwaysapps.com/fctbkwwahp/public_html, WordPress 7.0, DB prefix wp_.
• Probed https://aguiarinjurylawyers.com/?seonc=codex_probe_20260613 at the origin using --resolve. Response was HTTP/2 200; the probe string appeared only as the reflected _wp_http_referer hidden input and did not trigger executable output, errors, or code markers.
• Queried wp_posts for WPCode content and spam indicators.
• Queried wp_options for suspicious keys or values.
• Scanned wp-content PHP files for seonc, base64_decode, eval(, shell_exec, passthru, proc_open, assert(, and request-superglobal patterns.
• Enumerated PHP files under wp-content/uploads.

Findings

• wpcode post type exists with 46 rows total; 27 are published.
• No published WPCode snippet contained seonc, shell_exec, passthru, proc_open, base64_decode plus request-controlled execution, or eval of request input.
• Two published WPCode snippets matched broad request-variable markers but were benign on inspection:
  • 60660, Fix: 4xx Batch 301 Redirects - April 2026, line with $_GET['page_id'].
  • 43605, Sitewide Custom SEO Schema, lines handling $_POST['sa_review_stats_nonce'], lou_count, lou_rating, lex_count, and lex_rating.
• wp_options suspicious scan returned expected WPCode storage rows, notably wpcode_snippets and the WPCode library cache, but no seonc marker or active unknown payload.
• Title-level casino spam remains in non-public states only: 53 trash rows and 53 inherit revisions. No published titles matched the focused casino/spam terms.
• wp-content/uploads contains only wp-content/uploads/smush/index.php as PHP.
• Filesystem hits for dangerous primitives were limited to plugin/vendor code:
  • shell_exec in redis-cache-pro console code and Monolog vendor processors inside Kadence and Google Site Kit.
  • proc_open in redis-cache-pro, Monolog vendor code, and a disabled worker plugin under wp-content/plugins-disabled/worker.disabled-20260509-1519/.
  • eval( in gp-premium hook execution, wpcode-premium snippet executor, Redis eval method names, and phpseclib internals bundled with Google Site Kit.
  • base64_decode in WP Rocket, Kadence Pro, WPMUDEV, Rank Math, Smush, Google Site Kit, and related vendor libraries.
• No exact filesystem hits for seonc.
• Uploads PHP beyond the expected index file were not present.