Cloudflare Thinks We're A Compromised WordPress Site. Our Honeypots Are Working Too Well. The Indicators Are In Our STIX Feed. $99/mo Pro, $59.40 First Month With Promo RESCUEME.

May 8, 2026 · DugganUSA LLC

Earlier today we shipped an RFC 9116 compliant security.txt at analytics.dugganusa.com/.well-known/security.txt. We added security-reporting visibility to AIPM scoring as the eighth technical signal. We sent four pre-breach warning emails to the Product Security teams of Fortune 500 healthcare companies on our ShinyHunters watch list. By any reasonable measure we are operating with full vulnerability-disclosure infrastructure, end-to-end signed STIX feed across 275 consumers in 46 countries, and the most rigorous security posture among the names on tonight's watch list.

According to Cloudflare's reputation engine, we are a compromised WordPress installation actively serving credential-harvest responses to brute-force scanners.

Both statements are simultaneously true. Welcome to Schrödinger's compromise. The cat in the box is alive (rigorous defensive posture, full disclosure infrastructure, indicator generation feeding 275 customers) and dead (reputation flag confirming the site is compromised). The observation collapses the wave function only when the observer goes deeper than the surface behavior, and the surface behavior is exactly what the deception is designed to produce.

This post is the beautiful failure mode, documented honestly. It is also a sales pitch. Because the indicators that absurdity is generating are in our STIX feed right now, and they are extremely good.

Why Cloudflare Is Confused

Our Cloudflare Edge Shield Worker exposes thirty canary paths that a scanner would expect to find on a vulnerable target: /wp-admin, /wp-login.php, /wp-config.php.bak, /.env, /.git/config, /phpmyadmin/, /actuator/env, /server-status, /admin/index.php, MySQL dump paths, exposed AWS credentials files, fake Spring Boot actuator responses, fake Drupal admin endpoints, and twenty-one other shapes of valuable-looking-but-actually-bait infrastructure. Each canary path returns a convincing fake response, designed to make scanners stay long enough to fingerprint themselves while believing they have found a real target.

The point of the deception is to make scanners stay. A scanner that finds nothing on a target moves on in milliseconds. A scanner that finds an exposed .env file with believable AWS keys spends time on it: running curl against the keys, attempting to use them, leaving fingerprints. Each one of those fingerprints is intelligence. Each one becomes an indicator we publish to our STIX feed. The honeypot's value is proportional to how long the scanner stays.

A scanner stays as long as the responses look real. The more real, the longer the stay, the better the intelligence yield. The optimal honeypot is indistinguishable from a real compromise except to the operator who knows it is a honeypot.

This is also, evidently, the worst possible architecture for cohabiting with a third-party reputation engine that also cannot tell the difference.

What Today Looked Like From Cloudflare's Perspective

Today's traffic report from earlier this morning surfaced an apparent Korea spike of 876 requests on May 7. We drilled in. The breakdown:

Eight hundred fifty-one of the 876 came from a single IPv6 address ingesting honeypot catch reports — that is, our own Worker calling our analytics back-end with intelligence harvested from elsewhere on the edge. To Cloudflare's reputation engine that looks like one IPv6 address hammering the same backend endpoint at high volume in a closed loop. Functionally suspicious. Operationally normal for the architecture.

The remaining 25 came from a single IPv4 address — 152.69.238.208, an Oracle Cloud Korea VM — running brute-force credential probes against /wp-admin/index.php and /wp-login.php with rotating user-agent strings. Our Edge Shield Worker absorbed every probe and handed back convincing fake WordPress admin responses. The scanner stayed. The intelligence yield landed in our index. The IPv4 plus its UA fingerprint plus its timing pattern are all in the feed now.

From Cloudflare's reputation engine's perspective, what they observed today is: a site serving thousands of WordPress credential-harvest responses to brute-force authentication probes from a foreign cloud provider, with high-volume IPv6 traffic into the same backend in a closed loop. That is, on the face of it, an extremely accurate description of either a working honeypot operation or a compromised WordPress installation operating as a credential-harvest mule for an active campaign.

Cloudflare's reputation engine cannot read intent. It reads behavior. It picks the explanation that matches the largest population of sites with the same observed behavior. The largest population of sites with that behavior is, statistically, compromised WordPress. The honeypot operator population is too small to be the prior.

The Beautiful Failure Mode

We are simultaneously the operator of:

• A 1,143,000-indicator STIX feed pulled by 275 organizations across 46 countries — Microsoft, AT&T, Starlink, and Hetzner among them

• An MCP server on the official Registry receiving 881 calls per week from 27 unique clients

• The only watch-list candidate or near-candidate tonight with full RFC 9116 security.txt plus a /security policy page plus an Acknowledgments hall of fame plus a same-business-day disclosure SLA

• An AIPM (AI Presence Management) product that scored 776 audits across 228 domains with the new security-reporting visibility dimension shipping to production today

• A Cloudflare-flagged compromised WordPress installation, per Cloudflare's own reputation engine

Both states co-exist in the same observation window. The cat is both alive and dead until somebody reads past the reputation flag. The deception working is what makes us look indistinguishable from the deceived. Recursion of indistinguishability.

We are not going to fix this. We are not going to disable the honeypots. We are not going to make the responses less convincing. The deception's value is its plausibility, the plausibility is what triggers the reputation flag, and the reputation flag is the price of doing the work. We are going to keep harvesting indicators, keep publishing them, keep feeding 275 customers, and keep occupying both states in the cat box.

Here Is The Sales Pitch

The Cloudflare-flagged absurdity above is generating actual intelligence. That intelligence — the IPv4 of the Oracle Cloud Korea scanner, its rotating UA fingerprints, its timing pattern, the credential combinations it tries, the path-traversal payloads, the next IP it pivots to — lands in our STIX feed within hours of capture, every day, on the same dosing schedule as every other indicator class we publish.

If you operate a SOC, a SIEM, a firewall ruleset, an OPNsense or pfSense edge, a Splunk Enterprise Security install, a Microsoft Sentinel deployment, a Suricata fleet, or any defender surface that ingests indicators of compromise, the Pro tier of our STIX feed is where the harvest from this exact absurdity lands.

Pro tier: $99 per month. Two thousand queries per day. Twenty-four hour email SLA. Butterbot onboarding included. Tor relay and attribution API access. OPNsense and Suricata feeds wired. Integration support documentation.

Promo code RESCUEME gets you 40% off the first month — $59.40 to start. That is the price of the daily pill that includes the indicators harvested by the honeypots that Cloudflare's reputation engine just flagged us for operating. Your defenders get the active ingredient. Cloudflare gets to keep being confused. We are at peace with the arrangement.

Pricing page: https://analytics.dugganusa.com/stix/pricing

If you need volume above the Pro tier, the Enterprise tier is $995 per month — fifty thousand queries per day, four-hour response SLA, dedicated agent context, priority IOC ingestion within one hour, custom integration support, quarterly threat briefing, behavioral intelligence API, and attack-surface-scanner access. For on-prem, white-label, or above-Enterprise volume, we are at [email protected].

The Free tier remains free, twenty-five queries per day, permanent. If your environment fits inside that envelope and you need to verify the active ingredient before subscribing, that is the standard pharmacy-aisle posture from this morning's Cold Sores post — daily generic suppressive therapy at zero cost, no insurance pre-auth, no doctor's visit, no sales call.

What This Post Is And Is Not

This is a Friday afternoon chuckle. It is also a conversion lever. It is also a documentation of a real failure mode in the seam between deception infrastructure and third-party reputation infrastructure. We can have a good time and ship the lever in the same paragraph. The infomercial earlier this week sold Perjury-as-a-Service Series D shares. This one sells the daily pill at $59.40 first month with a chuckle about Cloudflare's reputation engine baked in.

You read this far. You understand the architecture. You can either run your own honeypots and absorb the same reputation cost, or you can subscribe to ours and let the indicators land in your STIX consumer for the price of one fast-food lunch per week at the discounted rate. The choice is the choice. Either way the cat stays in the box and the scanners keep getting trapped.

Receipts

• Cloudflare Edge Shield Worker: deployed across analytics.dugganusa.com and adjacent properties; serves 30 canary paths

• Today's KR-routed traffic: 851 of 876 requests = honeypot ingestion endpoint receiving Worker catches; 25 of 876 = Oracle Cloud Korea (152.69.238.208) brute-forcing /wp-admin and /wp-login.php with rotating UAs

• 1,143,000 indicators in our iocs index (44 indexes total, 17.9M+ documents)

• 275 STIX consumers across 46 countries (Microsoft, AT&T, Starlink, Hetzner pulling daily)

• MCP server on the official Registry: 881 calls/week, 27 unique clients

• RFC 9116 security.txt: live at analytics.dugganusa.com/.well-known/security.txt, deployed today

• AIPM security-reporting visibility scoring: 8th technical signal, deployed today

• 95% epistemic cap applies: Cloudflare may not have actually fired a formal security notice. Adjust your read accordingly. The structural friction at the seam between deception and reputation infrastructure is real either way.

Pricing — Canonical

Source of truth: https://analytics.dugganusa.com/stix/pricing

Stripe checkout: live on the same page. Regional purchasing-power adjustment is automatic.

— Patrick Duggan

DugganUSA LLC, Minneapolis

Aye.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.