Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Ask Wordfence: Why Is an Insignificant Site Like Mine Being Attacked?

This entry was posted in Ask Wordfence, WordPress Security on March 14, 2018 by Dan Moen   8 Replies

This question came in from Keith, a Premium Wordfence customer. We’ve dealt with this question a few times in different ways on the blog, but pulling it all together sounds like a great post. Let’s dive in!

Why is my site being attacked?

At a high level, an attacker views a vulnerable website as a juicy collection of resources that they can steal or exploit:

  • It’s backed by a server that they can use to run their own programs
  • It’s connected to the internet and likely has a squeaky-clean reputation
  • It might include interesting user data
  • It probably has traffic coming to it
  • It is likely important to you

Most of the time, they use those resources to make money. And they continue to find new creative ways to make a buck.

Using Your Server to Run Their Own Programs

If you’re running a WordPress site, your web server is most likely a fully functioning Linux server with MySQL and PHP installed. Depending on your hosting situation, it may also have a meaningful amount of processing power.

Cryptocurrency Mining

In December, we wrote about a massive cryptomining campaign targeting WordPress sites. In the most intense period of attacks we had ever recorded, an attacker was compromising sites and using them to both attack other WordPress sites and to mine for Monero, a cryptocurrency that can be mined efficiently using web server hardware.

I encourage you to read the article if you haven’t already. We were able to identify how the the attackers were controlling the compromised servers and discovered evidence that they had earned almost $100k via their mining efforts.

Leveraging Your Reputation

In November, we wrote about the fact that your site reputation makes you a target. I encourage you to read it along with the post that inspired it, by Troy Hunt.

Hosting Phishing Pages

A phishing page is one that attempts to fool you into sharing sensitive information, like your password, credit card number or social security number. An example of a phishing page is a fake login page that gives you the impression you are on, for example, the GMail login screen. You enter your credentials and the attacker logs them and can now sign into your real GMail account and steal data.

In January 2017, we wrote about a new and highly effective GMail phishing technique that was having a wide impact.

Your site has a squeaky clean reputation. When attackers host phishing pages on your site, services like Google Safe Browsing that would normally warn users about suspicious websites won’t know to alert visitors to the danger of the phishing page hosted on your site.

Hosting Spam Pages and Injecting Spammy Links

Your site is legitimate, so search engines like Google assume that your content, including outbound links, is also legitimate. Attackers love to plant SEO spam in the form of pages and links on your site, boosting SEO rankings for their malicious businesses.

A great example of this is the supply chain attack we discovered back in September that spanned 4.5 years and impacted 9 WordPress plugins. In our blog post about this SEO spam campaign, we exposed how someone purchased the plugins and then used them to embed spammy links in the sites that were running them. The attacker used these links to improve search engine rankings for websites offering payday loans, escort services and other shady things.

It’s important to remember that while your site alone isn’t capable of boosting an attacker’s SEO results, thousands of compromised sites can really move the needle.

Sending Spam Email

Getting spam email past spam filters is a difficult endeavor. Email clients use myriad techniques to identify and block spam. Almost all spam filters rely on IP blacklists to block everything from IPs known to send spam.

That’s where your web server comes in. Not only does your server have all of the hardware and software spammers need, but the reputation of your IP is likely perfect. By sending spam from your web server, cybercriminals have a much better chance of getting their spam delivered.

Eventually, spam filters pick up on what is happening and blacklist your IP as well, so the attacker simply moves on to the next victim, leaving the reputation of your IP address in ruins.

Attacking Other Sites

Sometimes attackers will compromised WordPress sites to attack additional sites. We saw hackers use this approach in the cryptocurrency mining attack we discussed earlier in this article, where an attacker was controlling a botnet made up of thousands of other people’s WordPress sites that were simultaneously mining for cryptocurrency and attacking other websites. Your website is an attractive attack platform because your IP address is likely not on any blacklists.

Hosting Malicious Content

Hackers will sometimes use your web server to host malicious files that they can call from other servers. They are essentially using your hosting account as a file server.

Leveraging Your Site Traffic

Malicious Redirects

One very common thing attackers do with hacked websites is add redirects to their content. Visitors to your site don’t even have to click on a hyperlink to visit the spam site: the redirect will just take them there directly. In some cases, attackers will go so far as to redirect all of your traffic to malicious sites. But in most cases, they employ measures to avoid detection, only redirecting traffic to specific URLs or for specific browsers or device types.

In August 2017 we wrote about the TrafficTrade infection which injects malicious JavaScript into websites and redirects visitors to pages that host spam and malicious browser plugins.


In some cases, the attacker just wants to get their message out. By taking over your website, they are able reach your website visitors, at least until you figure out what they’ve done. Attacks of this nature often represent a political movement or are just looking for “street cred” in the hacker community.

In February last year, we saw a huge WordPress defacement campaign that exploited a WordPress REST API vulnerability. It grew at incredible speed over a period of days, and after just 24 hours we had tracked 19 separate attack campaigns significantly impacting WordPress sites.

Distributing Malware

One especially nefarious way attackers monetize hacked websites is to use them to spread malware. They install website malware that installs malware on your visitors’ computers or devices when they visit your site.

As a site owner, this is especially scary, as not only do you risk having your site flagged as malicious by search engines and other blacklists, but your visitors are not going to be happy with you. Your reputation, both online and with your site visitors, could be damaged for a long time. In addition, a hacked website can have a long-term negative impact on your search engine rankings.

Stealing Data

Even if you don’t accept credit cards on your site, an attacker may still find valuable data to steal. For example, if you capture other data via forms on your site, there might be something there worth taking. Additionally, attackers can use stolen username and password pairs to try to log in to other sites.


We’ve learned over the years that websites almost always represent something that matters to people, even if it’s not a business site. Unfortunately, cybercriminals have, too. Last year we wrote about a ransomware attack campaign targeting WordPress sites. While we haven’t seen much of this lately, we believe the threat of WordPress ransomware will continue and will increase in future.


Regardless of the size of your website audience or the cost of your hosting plan, criminals will happily find a way to monetize it if they can break in. Luckily, you don’t need to be a security expert to keep your site safe. With a little knowledge and Wordfence Premium, you should be able to stay a step ahead of attackers.

Did you enjoy this post? Share it!

4.71 (31 votes) Your rating:

8 Comments on "Ask Wordfence: Why Is an Insignificant Site Like Mine Being Attacked?"

Kenneth Grant March 14, 2018 at 1:21 pm • Reply

Thanks for good info, as well as good protection.

Ron March 14, 2018 at 1:26 pm • Reply

If you've ever clicked on a link in a spam email, you'll see that this is true. Spammers will add an advertisement page to a site that either the owner doesn't maintain (or perhaps doesn't know how to maintain), doesn't adequately defend their site from hacking, or has no clue that their site was hacked. That's what makes smaller sites so attractive. And there are a lot of them out there.

Sara March 14, 2018 at 2:53 pm • Reply

Major problem, in 2012, we had a site hosted on a US hosting company, a cheap one. Their servers got hacked and many other big hosting companies. The attackers used sites on the servers to direct spam, porn links TO EACH OTHER. Our site was infected. I got rid of the hosting company, moved the domain, started from scratch to rebuild it.

Today, there are sites from those hosting companies still sent us over 6,000 bad links to our site all identified by IP's and other methods. Google says bad links do not affect rank, they most certainly do. It is a mess to clean up, but I'm glad I have WF for security now.

Mark, maybe you should consider a new product that repels bad links, finds them, turns them into no-follow somehow. I would gladly beta test for you.

Moral of the story: don't use cheap hosting, ask them about their own security protocols, break-ins they've had and how they will protect you. Using smaller hosting companies, maybe local to where you live, are less likely to get hacked like the major companies.

Linton Robinson March 14, 2018 at 9:03 pm • Reply

I also got hacked on a big host like that. Pretty much ruined my life for awhile. Now I get a LOT of attempts, daily. I think it's like if you've been had your name's written on a mens' room wall somewhere.
I'm getting really sick of Turkey, btw

Xavier March 14, 2018 at 9:45 pm • Reply

WordFence you are amazing continue to inform us of the latest hack news!

Dario March 15, 2018 at 2:50 am • Reply

Great blog post even though it didn't overturn my creeds on hacking matters. My background question still remain. Are all those efforts worth of being done? You also wrote "that they had earned almost $100k via their mining efforts." Almost unbelievable! It raises new questions and doubts in me about cyipto mining and its reason for being.

Soulstudio March 15, 2018 at 5:04 am • Reply

I wrote an article not so long ago called "Why Websites Get Hacked?". It is a common misconception among clients to believe that they are not interesting to the attackers. We need to talk more about this to spread awareness about the subject - great read guys! :)

Courtney March 15, 2018 at 7:11 am • Reply

Excellent Article. I sent this to our Board of Directors hoping they get why I am insisting on the best security products for our websites. I have been asked more than once this very question that Mark has posted.

Leave a Reply

All comments are moderated before being published. Inappropriate or off-topic comments may not be approved.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.