Pixel Fish Digital Marketing Blog

10 Signs That Your WordPress Site is Hosting Hidden Malware

Posted by Kevin Fouche on Mar 25, 2020
Kevin Fouche

Due to increased hacker interest, WordPress security is more important than ever. A current hacker-favourite is to take over a site and subtly hang out in the background, soaking up server resources and web traffic more like a parasite than the kind of data-stealing or ransomware attack we've come to watch for and fear.

10 Signs That Your WordPress Site is Hosting Hidden Malware

For many hackers, a hacked WordPress site is a potential bot in a botnet, a potential domain for sending spam emails, or just a source of computing power for their crypto-jacking. Crypto-jacking, by the way, is when they run a small crypto-currency miner on someone else's website to tax them the internet and server power instead of mining locally on their own machines.

Most of these malicious uses of a hacked website go on hidden in the background. So hidden that the WordPress site owners don't even realise that they are hacked. How do you know if your WordPress site is currently harbouring harmful malware that is feeding off the server? Well here are ten signs that something malware-shaped is amiss.

10 Signs That Your WordPress Site is Hosting Hidden Malware

1. Your Google Search Metadata is Wrong

Search for your website on Google and what do you see? The metadata underneath the name of your website should be something familiar and accurate, but it may not be. Hackers love to alter the metadata on hacked sites to reflect their own scam practices, like selling viagra. This is a very subtle way to hack your site and steal marketing velocity because most website owners don't google themselves or notice this difference in the data.

Some haven't configured their own metadata, much less noticed that the default info has been hacked. If your metadata seems spammy, inaccurate, or crude then your WordPress site was definitely hacked at some point and may still be host to the malware responsible. Even editing the metadata file back might not solve your problem for long.

2. Your Site is Slower Than it Should Be

There are oceans of DIY web developers out there trying to speed up their WordPress sites, so you're not alone in looking for better performance. But you should be able to make steady progress as steps are taken. If you know how quickly your website is supposed to load and it is loading much slower than that, this could be malware soaking up your web server resources and making your website sluggish.

Hackers like to slip their own processes onto someone's unsecured web servers. Crypto-jacking is popular lately. In crypto-jacking, hackers use your server resources to mine crypto-currency. They will also use an invaded web server for things like spam email senders, botnets, DDOS attacks, and more.

The more impossibly sluggish it is, especially when you SSH into the server itself, the more likely there's a hidden program glutting itself on your CPU and RAM.

3. Your Server Resource Use Spikes In the Middle of the Night

Another pretty clear sign of lurking malware is unusual resource use spikes on your web server. This is when suddenly your server is using too much CPU or RAM when your website isn't using the resources. Hackers often program their malware to wait until times of day when most people won't be in the office or accessing your site to activate more high-powered and dangerous functions.

Malware that is harvesting data, mining cryptocurrency, and other high-resource-use tasks may do so in the middle of the night as an attempt to hide the activity from inattentive admins who don't network-monitor or check the logs.

If you notice your CPU and RAM usage going through the roof late at night and it's not one of your own automated updates, then it's malware using up your resources. AI-backed network monitoring can help you spot when your resources are being used by something other than your website and web server processes.

4. Banner Ads You Never Approved Appear

Sometimes, hackers find a way to hack that the web developer never sees. Try entering your WordPress site not logged in as an admin and see what you can see. Your WordPress site may already have banner ads, but hackers love to inject their own banner ads into the mix when they take over a website. Many can program malware to do this for them. So take a close look at your banner ads along the sides and header/footer of each page. Are any of them for products you would never-ever approve of? Are any of them clearly spammy hacks that Google would never approve of? Don't have banner ads in the first place? Then it's a hack lurking on your site and stealing ad space.

Hackers love to change ad-banners because it potentially directs web traffic from your site to their scams. The more eyes see their scammy advertisements, the more 'bites' they might potentially get. And a hacker doesn't mind ruining the reputation and atmosphere of your WordPress site to do it. In fact, some specialise in just that.

5. New Unexplained Plugins

We all know that the easiest way to affect change on WordPress is by installing plugins, but you usually won't get an update on which plugins you have currently installed and activated. So keep a close eye. Hackers have found ways to introduce new plugins to your stack, invisibly unless you check on a regular basis. If new, unknown and apparently no-purpose plugins appear around your website, this is a bad sign.

These plugins are most likely built to open back doors for the hacker or enact other kinds of automated misuse of your web server. Sometimes both.

New plugins aren't just one or two lines of code, then tend to be whole functionality sets. A new plugin might even look like a good thing to anyone who isn't familiar with your plugin list. It might look like a security plugin, a file handling plugin, or a website feature plugin. Keep a list on all the plugins intentionally installed and prevent admins from adding any without adding to the list. Then you'll know if a mystery plugin has appeared.

6. Your WordPress Email Stops Working

If your WordPress server host offered to set up email and you've been using your WordPress email ever since, that email server stays where it is. There is something is seriously wrong when you can no longer connect to your email by app or online portal.

This most likely means that the malware is using your WordPress internet to send spam mail and has gone through the trouble of locking everyone else out.

Hackers who specialise in spam mail love to take over a web server's email capabilities. Starting an email server on your IP address puts you at risk of being blacklisted, as well as losing access to your on-server email system.

7. You Suddenly Lack Website Traffic

If you've been tracking your website stats and traffic suddenly fell off, this can also be the result of a hacker already inside your server. Many malware programs designed to lurk in the background will help build a brand inside your site that will slowly take over and subvert traffic away from your site and onto theirs.

8. Broken Pages and Broken Code

Do some navigating around your WordPress site. Use search terms, and follow every link you can find. Running into an increased number of broken pages? Getting the same reports from your users? This means that a hacker or --more likely-- their malware is changing things about your website code that are causing some to many of your configurations to break.

9. An Army of Bot-Users

Now take a look at your users and forum activity. If you have experienced a swell of new users without a swell of new activity or traffic, these users are bots, most likely being automatically created by the script that has set up shop in the background of your WordPress websites. They may be posting junk on your forums or doing other strange things based on whatever the malware programmed this bot-army of new users to do.

10. Your Site Has been Blacklisted

Finally, there's the horror of the blacklist. Being blacklisted by Google means that your site has been made into a source of spam mail and irritating junk that has been reported by a few too many people. Hackers do this by stealing your WordPress email domain and otherwise using your website as a home-base for bothering and hacking others. 

If you can't get to your WordPress site because Google gives a warning or if you get a blacklisted alert in your email, then something has gone truly wrong and the malware lurking on your web server has gone far out of hand.

WordPress sites displaying these symptoms are most likely harbouring at least one form of malware right now, whether it is simply spamming up your banner ads or using your website as a staging point to hack other sites. But you don't have to live in constant fear of hackers, secret  malware, and blacklisting.

Contact us today to learn how to defend your WordPress site from the constant environment of hacking and infiltration.

Further Reading
10 Ways to Make Sure Your WordPress Theme is Secure and Malware-Free
Getting to know the different types of SSL Certificates
Website platform review: Wix vs WordPress - Which is right for you?

Stand out from your competition with a Pixel Fish website!

Call us today on 02 9114 9813 or email info@pixelfish.com.au


Speak to us about your new business website. We’d love to hear from you.

Topics: Website Security