10 min read
Many WordPress websites are under attack without their owners being aware of it. The site may still function normally, continue to receive traffic, and even generate orders every day. However, behind this apparent “stability,” malware, spam links, and malicious requests are quietly present, gradually exploiting and eroding the website.
The problem is that by the time the signs become obvious, the damage has often gone beyond what many website owners can easily handle.
So how can you tell whether a WordPress website is being attacked? In this article, we will highlight 15 common signs that indicate a WordPress site may be under attack, helping readers identify risks early and take timely action before the situation becomes more serious.
Why are so many websites attacked without the owner knowing?Link to heading
Modern attacks no longer cause immediate damageLink to heading
In the past, many people assumed that a hacked website meant a defaced interface, a crashed site, or strange messages appearing on the homepage. Today, modern attacks no longer work that way. Hackers now prioritise stealthy infiltration rather than immediate disruption.
Their goals may include installing tracking code, injecting SEO spam links, creating backdoors for future access, or using the website as part of a botnet. The site can continue to operate “normally” for a long time, giving the owner no reason to suspect anything until the real consequences surface.
Hackers deliberately avoid attracting the site owner’s attentionLink to heading
Hackers do not want to be detected early. As a result, they often design their payloads so they do not affect the experience of regular users. Malware may only activate for specific user agents, certain IP addresses, or appear only to search engine bots.
This leads to a situation where the website owner sees nothing unusual, while Google detects malware, redirects, or spam content. By the time search engines issue a warning, the website has often been exploited long enough to cause significant damage.
>>> See more: Malware in WordPress: Signs, cleanup methods, and prevention
Website owners lack behaviour monitoring toolsLink to heading
Most WordPress websites focus mainly on uptime, page speed, or traffic numbers. Very few have systems in place to monitor visitor behaviour and detect abnormal requests, scanning activity, or exploit attempts.
Without monitoring tools, attacks in the reconnaissance phase leave almost no visible signs. Hackers can send hundreds of test requests every day without triggering any alerts, until they eventually find a suitable weakness to exploit.
Logs exist, but no one reads themLink to heading
Most servers generate access logs and error logs. In practice, however, logs are usually only checked after an incident has already occurred. Regular log analysis is rarely done, especially for small websites or businesses without dedicated technical staff.
As a result, early warning signs such as repeated access to sensitive files, suspicious request patterns, or recurring system errors are ignored. The logs are there, but they are not used as a preventive security tool.
Attacks take place outside the WordPress layerLink to heading
Many attacks do not start within the WordPress core or plugins, but at layers in front of WordPress, such as the server, web server, firewall, or request-handling layer. These are areas where WordPress itself cannot fully detect or log malicious activity.
When a malicious request is processed or exploited before it even reaches WordPress, the website owner has almost no way of knowing unless there is a dedicated protective layer outside WordPress. This creates a significant “blind spot” in the security of many websites.
The belief that small websites are not targetsLink to heading
One of the most common reasons websites are attacked without the owner realising it is a false sense of security. Many believe that small websites, with low traffic or limited business activity, are not worth attacking. In reality, the opposite is true. Smaller websites are often less protected, less frequently updated, and poorly monitored, making them ideal targets for automated attacks.
Hackers do not target brands; they target weaknesses. And the smaller the website, the more weaknesses it often has.
Why is early detection of WordPress attacks so important?Link to heading
Reducing the risk of data loss and sensitive information leaksLink to heading
Once hackers have remained inside a system for a sufficient period, the risk of unauthorised data access becomes very high. This may include not only administrative credentials, but also customer data, emails, orders, and critical configuration files.
Early detection limits the amount of time attackers can stay within the system, significantly reducing the risk of data breaches. In many cases, delayed detection can expose businesses to legal risks and a serious loss of customer trust.
Protect SEO rankings and website credibilityLink to heading
A WordPress website that has been injected with malware, malicious redirects, or SEO spam is often detected by search engines before the site owner becomes aware of the issue. As a result, the website may receive security warnings, suffer ranking drops, or even be temporarily removed from search results. Early detection allows you to address the issue before search engine bots record malicious behavior.
This helps protect your website’s credibility and prevents losses in traffic and revenue - damages that are often difficult to recover from in the short term.
Avoid prolonged downtime and business disruptionLink to heading
Many attacks only become obvious when a website starts to slow down abnormally, experiences repeated errors, or loses administrative control. At this stage, remediation is usually more complex and can lead to extended downtime. Early detection enables controlled handling of the incident, avoiding emergency shutdowns or reactive restores. For business websites, every hour of downtime translates directly into lost customers and revenue.
Reduce remediation and recovery costsLink to heading
Addressing an attack at an early stage often requires only limited actions, such as blocking malicious requests, patching vulnerabilities, or resetting access credentials. In contrast, once a system has been deeply compromised, remediation costs can multiply. In many cases, site owners must hire security specialists, clean the codebase, restore data, or even rebuild the entire system. Early detection is the most effective way to minimize long-term costs.
Maintain control instead of reacting under pressureLink to heading
When an attack is discovered only after damage has occurred, decisions must be made in an emergency context. This increases the risk of mistakes, poorly controlled responses, and prolonged recovery times. Early detection, on the other hand, allows you to remain in control - assessing risk levels, isolating incidents, planning remediation, and improving the system in a structured and deliberate manner.
15 Signs that a WordPress website is under attackLink to heading
The website suddenly becomes unusually slowLink to heading
When a WordPress website that has been running smoothly suddenly becomes noticeably slower without major changes in content, traffic, or configuration, this is a critical warning sign. The slowdown may occur intermittently rather than continuously, making it difficult to pinpoint the cause.
In many cases, the issue stems from background processes planted by attackers. These processes may send outbound requests, run malicious scripts, or scan internal data. Although they consume significant resources, they often do not trigger obvious errors, allowing the website to remain “functional” while severely degrading user experience.
Sudden spikes in CPU, RAM, or bandwidth usageLink to heading
Abnormal increases in server resources - especially CPU, RAM, or bandwidth - are another strong indicator. Notably, these spikes often occur even when there is no marketing campaign, no surge in traffic, and no structural system changes. This may indicate that the website is being exploited for malicious activities such as sending spam, participating in DDoS attacks, cryptocurrency mining, or continuously processing malicious requests.
If site owners only review aggregate metrics without analyzing traffic sources or behavior, these signs are often mistaken for routine technical issues.
Frequent downtime with no clear causeLink to heading
Repeated downtime without scheduled maintenance, traffic overload, or configuration errors is a serious warning sign. This is especially true when the site goes offline briefly and then recovers automatically, making the issue easy to overlook.
Such downtime may be linked to resource exhaustion attacks, vulnerability exploitation, or payload testing at the server level. Attackers often avoid sustained attacks to remain unnoticed, causing just enough disruption to observe system behavior. If left undetected, these minor incidents can escalate into major attacks.
Automatic redirects to unknown websitesLink to heading
One of the clearest signs of compromise is when users are redirected to unfamiliar websites. These redirects may not affect all visitors and may only occur on certain devices, browsers, or geographic locations.
Attackers often implement conditional redirects to evade detection. For example, administrators may see no issues, while new visitors or search engine bots are redirected to gambling, betting, or phishing sites. This tactic causes many site owners to underestimate the severity of the issue for extended periods.
Uncontrolled popups or advertisements appearLink to heading
If a website begins displaying unfamiliar popups, intrusive ads, or content unrelated to the business, this is a serious security alert. These elements may appear only on specific pages or be triggered by user actions such as scrolling or clicking.
In many cases, attackers inject malicious code directly into themes, plugins, or core files to display ads for profit. Such code is often heavily obfuscated, making detection and removal difficult without specialized security tools.
Hidden links or spam links injected into contentLink to heading
A subtle yet widespread sign of compromise is the injection of hidden links into website content without the administrator’s knowledge. These links may be concealed using CSS, matching text and background colors, or displayed only to search engine bots rather than real users.
The primary goal is to exploit the site’s SEO authority to boost rankings for spam, counterfeit pharmaceuticals, gambling, or prohibited content. As a result, the website risks losing credibility with users and facing severe penalties from Google, including ranking drops or deindexing.
Google flags the website as maliciousLink to heading
When Google displays warnings such as “This site may be harmful” or “This website contains malware”, it indicates that the security issue has exceeded normal control thresholds. These warnings usually appear after Google detects malware distribution, phishing, or suspicious behavior affecting users.
Once a site is flagged as dangerous, traffic typically drops sharply as users abandon the site immediately. Restoring trust and removing Google warnings is a complex process that requires thorough system cleanup and proof that the website is properly secured.
Unknown admin user appearsLink to heading
The appearance of an administrator account that you did not create is an extremely serious sign that your WordPress website has been compromised. Hackers often add extra admin users to maintain long-term control, even after you change passwords or run malware scans.
These accounts are usually given “harmless-looking” names such as support, backup, or admin2, or use seemingly legitimate email addresses to avoid drawing attention. Without regular user audits, many website owners fail to realise that their system has already been controlled from the inside.
Admin password changes automaticallyLink to heading
If you suddenly cannot log in and the system reports an incorrect password, even though you are certain you have not changed it, there is a high likelihood that your login credentials have been tampered with. This typically occurs when a hacker has already gained admin access or hijacked a valid login session.
In many cases, attackers repeatedly change passwords or trigger password recovery mechanisms to prevent the legitimate site owner from regaining control. This tactic helps them extend their access and carry out more dangerous actions, such as installing backdoors or injecting malware deep into the system.
Unable to log in despite correct credentialsLink to heading
Entering the correct username and password but still being unable to log in may not simply be a technical issue. Hackers sometimes modify core files, the database, or authentication mechanisms to lock out the legitimate administrator.
Additionally, malicious plugins or modified firewall rules can silently block admin access without providing clear warnings. The real danger is that website owners often spend time suspecting hosting or WordPress errors, while the attacker continues operating unnoticed in the background.
Plugins or themes installed without a known sourceLink to heading
Another common warning sign is the presence of plugins or themes that you do not remember installing. These components often lack a clear interface in the dashboard or are named similarly to popular plugins to mislead administrators.
In reality, these are often backdoors disguised as plugins or themes, allowing hackers to execute remote code, exfiltrate data, or regain access at any time. If they are not thoroughly detected and removed, the website may be reinfected even after an apparent cleanup.
Suspicious files in wordpress directoriesLink to heading
The appearance of unfamiliar files within WordPress directories - especially wp-content, uploads, includes, or even the root directory - is a common indicator that a backdoor has been planted. These files often have very “ordinary” names such as class.php, update.php, or cache.php, and are placed among legitimate files to avoid detection.
Attackers frequently hide malicious files in the uploads directory, as it typically allows write access and is rarely inspected closely. Without regular file change monitoring, such files can remain unnoticed for months.
wp-config.php has been modifiedLink to heading
The wp-config.php file is critical, as it contains database credentials and core security configurations. When this file is modified without authorisation, it usually indicates that the attacker has gained deep access to the system.
Hackers may inject code to log sensitive information, open hidden access points, or alter configurations to disable other security layers. Because the website often continues to function normally, this dangerous sign is easily overlooked until serious damage occurs.
Logs record abnormal requestsLink to heading
Server access logs often capture the earliest traces of an attack. If you notice numerous unusual requests, attempts to access non-existent files, strange character strings, or unusually long encoded requests, these are clear indicators of scanning or exploitation attempts.
However, most website owners do not routinely review logs or fully understand what these entries mean. As a result, attackers can test, refine their techniques, and identify vulnerabilities without encountering any resistance.
Multiple probing requests targeting sensitive filesLink to heading
Another highly dangerous sign is a sudden increase in requests targeting sensitive files such as wp-config.php, .env, xmlrpc.php, .git, backup.zip, or legacy configuration files. This behaviour is typical reconnaissance conducted before a real attack begins.
These requests often originate from multiple IP addresses and occur at a low frequency to avoid detection. Without a firewall that blocks threats at the outer layer, such probing will continue until a viable entry point is found.
What should you do when you detect signs of an attack?Link to heading
Isolate the website to prevent further spreadLink to heading
As soon as suspicious behaviour is detected, the first priority is to minimise the attacker’s ability to interact with the website. This may include temporarily enabling maintenance mode, restricting admin access, or blocking suspicious IP addresses. If the site is actively being exploited, keeping it fully online can allow continued data theft, malware propagation across files, or even abuse of the server to attack other websites.
Back up all data before taking actionLink to heading
Before editing or deleting any files, you must back up the entire website, including source code and the database. This backup provides a reference for forensic analysis and a recovery option if remediation efforts go wrong. Many site owners rush to delete infected files without a backup, only to cause more severe errors or lose critical data that cannot be restored.
Secure and lock down all administrative access pointsLink to heading
After isolating the website, immediately change all related passwords, including WordPress admin accounts, FTP, database credentials, hosting control panels, and administrative email accounts. At the same time, review the user list and remove any suspicious admin accounts.
If an attacker has already created hidden users or obtained admin privileges, removing malware alone without securing access points will almost certainly result in a rapid reinfection.
Scan for and remove malware in a controlled mannerLink to heading
Malware scanning should be performed at both the WordPress level and the server level. However, you should not rely solely on a single malware scanning plugin, as many modern malware variants are heavily obfuscated or cleverly disguised. It is essential to review newly created files and recently modified files, especially within the wp-content, uploads directories, and critical core files.
The cleanup process must be carried out carefully to avoid accidentally removing legitimate system files.
Review logs to identify the attack vectorLink to heading
Access logs and error logs reveal how attackers gained entry, whether through outdated plugins, brute-force attacks, XML-RPC abuse, or unauthorized file uploads. If the initial point of entry is not identified, the website is highly likely to be compromised again, even after malware has been removed. This step is often overlooked by website owners, yet it plays a decisive role in the long-term effectiveness of security measures.
Patch vulnerabilities and update the entire systemLink to heading
After the cleanup process, WordPress core, plugins, and themes must be updated to their latest versions, and any unused components should be removed. Plugins of unknown origin or those that are no longer maintained should be completely uninstalled. Patching vulnerabilities ensures that attackers cannot reuse the same exploitation methods to regain access.
Establish a proactive defensive layer outside WordPressLink to heading
Resolving an incident is merely a firefighting measure, not a long-term solution. A website needs a proactive defensive layer to block malicious requests at the earliest stage, before they reach WordPress itself. A firewall operating on a “block by default” principle - allowing only verified, legitimate traffic - can significantly reduce the risk of reinfection, particularly for business websites and those handling sensitive data.
W7SFW is a WordPress Firewall built on the “block by default” security model, designed to stop malicious requests at the outer layer before they have any chance to interact with WordPress. Instead of trusting all incoming traffic, W7SFW permits only verified and legitimate behaviors, effectively reducing risks from zero-day vulnerabilities, undisclosed exploits, and automated scanning attacks.
If you are looking for a proactive and sustainable way to secure your WordPress website, W7SFW is a solution that should be deployed as early as possible.
Continuous monitoring after an incidentLink to heading
Once the issue has been resolved, the website should be continuously monitored for at least several weeks to detect any remaining abnormal activity. Attackers often install backup backdoors to regain access at a later time. Monitoring performance metrics, access logs, and login behavior helps ensure that the website is genuinely secure and free from hidden entry points.
ConclusionLink to heading
Based on the analysis presented in this article, it is clear that most WordPress attacks do not occur loudly or cause immediate damage. Instead, they persist silently, exploiting and expanding over time. Therefore, rather than waiting for incidents to occur, early detection of abnormal signs and the adoption of a proactive security mindset are essential for every website owner.
Always remember that WordPress security is not a one-time task, but an integral part of a sustainable and long-term website operation strategy.
