XIMBALO Design Studio
XIMBALORescue
Get help

Field notes

The Ximbalo security blog

Plain-English guides on the threats hitting WordPress sites every day — malware, bots, cPanel, plugins, email, and how to recover when things break.

May 12, 2026 · 6 min read

WordPress Malware: How to Tell If Your Site Is Infected

Strange redirects, spammy pages, browser warnings, a sluggish admin — the early signs of a hacked WordPress site, and what to do the moment you spot them.

Read article →
May 5, 2026 · 7 min

Why Bots Are Hammering Your WordPress Site — and How to Stop Them

Automated traffic now dwarfs human visitors for many small sites. Here's what the bots are actually doing to your WordPress install, and how to push back.

Apr 28, 2026 · 5 min

The Real Cost of an Outdated Plugin

One abandoned plugin can mean a defaced homepage, a spam relay, or a surprise bandwidth bill. A look at how small neglect becomes a big invoice.

Apr 19, 2026 · 6 min

wp-login.php Brute Force Attacks: A Plain-English Guide

Thousands of login attempts a day is normal for a WordPress site. Here's what brute-force attacks are, why they work, and how to lock the door.

Apr 10, 2026 · 8 min

Hardening cPanel: The Server Checklist Most Owners Skip

Your site can be perfectly patched and still get owned through the server around it. A practical checklist for cPanel, PHP, SSL, and email.

Apr 2, 2026 · 5 min

robots.txt Won't Save You From Bad Bots — Here's What Does

robots.txt is a polite request, and bad bots aren't polite. Why blocking abusive crawlers takes more than a text file.

Mar 24, 2026 · 6 min

Is Your Domain Blacklisted? Fixing Email Deliverability

When invoices and replies start landing in spam — or vanishing — your domain may be blacklisted. How it happens and how to recover.

Mar 15, 2026 · 6 min

Backups That Actually Work: A Recovery Plan for WordPress

A backup you've never restored is just a hope. What a real WordPress recovery plan looks like — and the mistakes that make backups useless.

Mar 6, 2026 · 5 min

Outdated PHP Is a Security Hole — Why Updating Matters

Running an old PHP version is one of the most common and most overlooked risks on a WordPress site. Here's what it costs you.

Feb 25, 2026 · 7 min

My Site Was Hacked. Now What? A Step-by-Step Recovery

A calm, ordered plan for the moment you realize your WordPress site has been compromised — what to do first, and what to avoid.

From the team behind Ximbalo

Looking for an AI agency to help with AI & automation?

Digital Boutique builds AI agents, automations, and workflows that do the busywork for you.

Visit DigitalBoutique.ai