Year: 2026

WordPress is a free, open-source content management system used to create and manage websites without needing much coding (WordPress.com: Everything You Need to Build Your Website).

The tool let you build (The Build websites, write blog posts, Design pages, Manage content easily) from a dashboard.

WordPress itself is secure, but poor setup such as (Weak passwords, Outdated plugins and others) can make a site vulnerable which leads to the threat actors targeting your website.

To prevent it, we need to follow some recommendations. Let's have a look at them.

Recommendations:

Update WordPress core, themes regularly
Auto update for the plugin or regularly scan to detect any vulnerability
Delete unused plugins, themes
Use long, unique passwords not reused anywhere
Change the default “admin” username
Enable 2FA (two-factor authentication)
Block malicious traffic
Limit login attempts
Install an SSL certificate such as Let’s Encrypt
Daily or weekly backups
DDOS protection plugin
Maintenance windows plugin
Plugin to accept or refuse the usage of Cookies
Banner for GDPR or Privacy plugin
Reduce brute-force attacks on your WordPress site by hiding wp-login.php changing the login URL so bots can’t easily find it.
Store backups off-site
Change default database prefix for example mywebsite.com/wp-admin to mywebsite.com/change
Restrict file permissions:
wp-config.php contains your database credentials, security keys, and sensitive settings, so it should be protected by following the recommendations:
Move wp-config.php outside web root
Add .htaccess protection
Set permissions to 400/440
Disable file editing plugin if not needed
Disable XML-RPC if not needed
Hide WordPress version
Use a Web Application Firewall
Hide all the webpage or make them not accessible for example
Add to robots.txt. For example:

User-agent: *
Disallow: /

Block access via .htaccess:

Order Deny,Allow

Deny from all

Allow from YOUR_IP

Protecting phpMyAdmin is critical because if someone gets access, they can control your entire WordPress database (users, passwords, content, everything).
Change or hide phpMyAdmin URL:

Default URLs:

/phpmyadmin
/pma
/mysql

Like you see, they are many configurations and settings to implement to make your WordPress website more secure. Be aware that security should be the first step to start your WordPress journey.

Main News

OSINT tools to monitor the Strait of Hormuz

Bangaly Koita 4 weeks ago

The Strait of Hormuz is one of the most important chokepoints in the world economically, militarily, and politically.
Around 20 to 25% of the world’s oil supply passes through this narrow strait.

Major oil exporters like Saudi Arabia, Iran, Iraq, Kuwait, and United Arab Emirates rely on it.

It’s also critical for liquefied natural gas (LNG), especially exports from Qatar.

If the strait is disrupted, global oil prices can spike immediately.

Due to the conflict between Iranian, Israel and USA. The situation remains unclear.

The vessels are not travelling through the Strait Hormuz.

Monitoring the Strait of Hormuz using OSINT relies on combining maritime tracking, satellite imagery, news, and geopolitical analysis tools. Here are the main categories and widely used tools:

1. Vessel Tracking (AIS Data)

These tools track ships in real time using AIS (Automatic Identification System), which is crucial for monitoring oil tankers and naval activity.

MarineTraffic: Global Ship Tracking Intelligence | AIS Marine Traffic

The MarineTraffic is a commercial online ship-tracking and maritime analytics platform that visualizes global vessel movements in near real time. It aggregates data from a vast community AIS (Automatic Identification System) receiver network plus satellites, serving everyone from hobby ship-spotters to logistics, insurance, and energy companies.

Ship & Container Tracking - VesselFinder

The VesselFinder is an online and mobile software platform providing real-time Automatic Identification System (AIS) vessel tracking and maritime analytics. It enables users to view ship positions, voyage details, and port activity globally, serving both casual users and maritime professionals. Its open-access approach and map-based interface have made it one of the most visited AIS tracking tools worldwide.

2. Satellite Imagery Platforms

The Satellite Imagery Platforms can be used to verify activity even when AIS is turned off (dark ships) such as:

Detecting ship (clusters)

Monitoring military buildup or port congestion

Oil spills or maritime incidents

Google Earth

Google Earth is a geospatial visualization tool developed by Google that displays a 3D representation of Earth based on satellite imagery, aerial photography, and GIS data. It allows users to explore geographic information, view terrain and buildings in three dimensions, and access historical imagery across the globe.

https://www.satellites.live/

satellites.live is a free web-based satellite tracking tool that lets you visualize and follow objects orbiting Earth in near real time.

it’s like a radar screen for space, showing what’s flying above Earth right now.

3. Radio & Signal Monitoring

websdr.org

WebSDR is an online software platform that allows multiple users to listen simultaneously to a wide range of radio frequencies through a shared software-defined radio (SDR) receiver. It provides real time access to radio spectrum data via a web browser, enabling remote tuning, demodulation, and listening without specialized hardware.

AIS Dispatcher - free AIS data sharing tool | AISHub

AIS Dispatcher is a Windows-based software tool used to decode, filter, and forward Automatic Identification System (AIS) data from ship transponders and receivers. It acts as an intermediary between AIS receivers and data servers or clients, enabling flexible routing of real-time vessel traffic information across multiple network destinations.

Monitoring the Strait of Hormuz with OSINT is about layering multiple data sources no single tool is enough. The most reliable insights come from combining ship tracking, satellite imagery, and real time reporting.

Main News

Online Document Signing Platforms used for Phishing Attacks

Bangaly Koita 2 months ago

Electronic signature platforms such as Docusign, Dropbox Sign, Google Docs, OneDrive signature and Adobe Sign have revolutionized business processes by enabling fast, paperless transactions. However, cybercriminals have also recognized their potential as a vector for phishing attacks. By mimicking legitimate signing requests, attackers trick users into revealing sensitive information or downloading malware.

Techniques used by threat actors to trick users:

Fake Signing Requests

Attackers send emails that look like legitimate requests from trusted platforms such as Docusign, Adobe Sign. These emails often contain urgent language like “Your signature is required immediately.”

Malicious Links

The email includes a link to a fake login page mimicking the real service. Victims enter credentials, which attackers steal.

Malware Delivery

Some phishing emails include attachments disguised as documents to sign, which actually contain malware.

Business Email Compromise (BEC)

Attackers impersonate executives or vendors, requesting signatures on fraudulent documents (e.g., payment authorizations).

Red Flags to Detect Phishing

Unexpected signing requests from unknown senders.

Generic greetings like “Dear Customer” instead of your name.

Suspicious URLs (hover over links before clicking).

Urgency or threats in the message.

Requests for credentials beyond normal signing process.

Tools Commonly Used by Threat Actors

Email Spoofing Tools (e.g., Sendmail, Postfix misconfigurations)

Used to forge sender addresses and bypass basic email filters.

Phishing Kits (e.g., Evilginx, Modlishka)

Enable creation of realistic login pages and capture credentials.

URL Shorteners

Hide malicious links behind shortened URLs to evade detection.

Malware Loaders

Embedded in attachments disguised as PDFs or signing documents.

Conclusion

While online document signing platforms offer convenience, they also present a significant attack surface for phishing campaigns. Organizations must implement robust email security, user awareness training, and multi-factor authentication to mitigate these threats. Vigilance and verification are key always confirm the legitimacy of signing requests before clicking any link.