Rajan Gupta

Posted on May 21

13,000 WordPress Sites Get Hacked Today. Most Owners Won't Know Until It's Too Late.

#webdev #wordpress #security #php

I spent a week going through Reddit threads, Stack Overflow questions, Quora posts, GitHub issues, and WordPress.org forums — every place developers and site owners go when something feels wrong with their WordPress site.

The same questions came up over and over. And the answers people were getting were mostly... wrong. Or at least dangerously incomplete.

This post is a synthesis of everything I found, the real numbers behind it, and what actually works. I'll also tell you about a free tool we built that does in 60 seconds what most people are doing manually for hours.

Let's start with the data that genuinely surprised me.

The Numbers That Reframe Everything

Before we get into the questions, you need to sit with these for a moment:

Stat	Number
WordPress market share of ALL websites	43.5%
New vulnerabilities in 2025 alone	11,334 (a 42% YoY jump)
WordPress sites compromised per day	~13,000
Attacks per minute across WP sites	90,000
Time from disclosure → mass exploitation	5 hours
Vulnerabilities with NO patch at disclosure	46%
Vulnerabilities requiring zero auth to exploit	43%
Average cost of a single breach	$14,500

Sources: Colorlib 2026, Hide My WP Ghost Research

That last one is the number that stops people. $14,500 to recover from a hack. Against a free scan that takes 60 seconds.

The math is irrational — and yet 73% of site owners have no documented incident response plan.

The Questions People Are Actually Asking

I categorised every WordPress security question I found across platforms. Here are the real questions, ranked by how often they appear and how badly they're answered:

❓ #1 — "How do I even know if my site is hacked?"

Where it's asked: Reddit r/Wordpress, r/webdev, Quora, WordPress.org forums

This is the #1 question. By a wide margin.

The painful part? Most hacked sites look completely normal to the owner. The infection is designed to be invisible to you while being fully active to visitors, search engines, and Google's crawlers.

Here's what an infected site might look like from different angles:

Owner visits site:         → Everything looks normal. No warnings.
Google crawler visits:     → Sees spam links for casino/pharma injected into content
Visitor on mobile:         → Gets redirected to a phishing page
Google Search Console:     → Shows "This site may be hacked" warning
Hosting provider:          → Detects outbound spam and suspends account

The attack surface is your public-facing URL, not your admin panel. That's why so many detection attempts fail — you can't see what Google sees from inside your own dashboard.

Signs your WordPress site is hacked (the real list):

🔴 Google Search Console showing "Security Issues" tab with warnings
🔴 Hosting provider sends abuse/suspension email out of nowhere
🔴 Visitors report being redirected to spam/pharma/gambling sites
🔴 Search results for your domain show unrelated titles ("Buy Cheap Viagra…")
🔴 New admin users appearing in your WordPress dashboard you didn't create
🔴 Your site loads fine but has mysteriously slow response times
🔴 wp-cron.php firing constantly, generating unusual server load
🔴 Files like c99.php, alfa.php, r57.php exist in your uploads folder

The fastest way to check? Run an external scan. wp-scan.org/malware-check — paste your URL, get results in under 60 seconds. It scans from the outside, the same way Google and attackers see your site. No plugin. No login. Free.

❓ #2 — "I have a security plugin. Am I protected?"

Where it's asked: Stack Overflow, Reddit r/Wordpress, Quora

This one gets a confident "yes" from a lot of well-meaning people. The reality is more nuanced.

Security plugins (Wordfence, Sucuri, iThemes Security) are valuable. But they have a structural blind spot that very few people talk about:

They scan from inside your server.

Which means:

✅ Security plugin CAN do:
   - File integrity monitoring
   - Brute force login protection
   - Known malware signature scanning (on files it can access)

❌ Security plugin CANNOT do:
   - See HTTP response headers an attacker or Google would see
   - Detect redirects that only trigger for specific user agents
   - Scan the plugin itself if the plugin is the infection vector
   - Work at all if the server is fully compromised
   - Detect spam injection that only appears in Google's crawler response

The mu-plugins backdoor attack that made headlines in 2025 is a perfect example. A backdoor was embedded inside WordPress's mu-plugins directory — a location that most security plugins scan last, or not thoroughly enough. The Hacker News reported on it here.

An external scanner would catch this immediately — because it checks what's actually delivered to visitors, regardless of where the infection lives.

The answer isn't either/or. It's both. Use a security plugin for file monitoring and login protection. Use an external scanner (wp-scan.org) to check what the world actually sees. They cover completely different attack surfaces.

❓ #3 — "My site was hacked. I restored a backup. Is it fixed?"

Where it's asked: WordPress.org support forums, Reddit, Quora

This is the most dangerous misconception I found. It was everywhere.

No. Restoring a backup is not the same as cleaning a hack.

Here's why:

// What a backup restore does:
// 1. Overwrites your current files with the backup version
// 2. Restores your database to the backup state

// What it does NOT do:
// 1. Remove the vulnerability that allowed the hack in the first place
// 2. Remove the backdoor the attacker LEFT BEHIND (which may predate the backup)
// 3. Reveal HOW the attacker got in
// 4. Prevent the attacker from re-entering in minutes

The backdoor is almost always planted before the visible symptoms appear. So your clean backup? It probably contains the backdoor too.

The real sequence for recovery:

Scan externally first — understand what's exposed (wp-scan.org/malware-check)
Identify the entry vector — outdated plugin? Nulled theme? Weak password?
Restore to a clean backup AND update/patch everything
Scan again — confirm the infection is gone
Harden — change all passwords, regenerate salts, review users

Skipping step 1 and jumping straight to restore is why 40%+ of hacked sites get re-hacked within a month.

❓ #4 — "Which plugins are safe to use?"

Where it's asked: Reddit, Stack Overflow, WP Tavern, Hacker News threads

The data from 2025 is sobering:

91% of WordPress vulnerabilities live in plugins
46% of those had no available patch at the time of public disclosure
52% of plugin developers never issue a patch before public disclosure

Even popular, well-maintained plugins can become vectors overnight. A supply chain attack in 2026 compromised the Essential Plugin portfolio — trusted by hundreds of thousands of sites — by injecting malicious code after an ownership change. More details here.

The answer the community gives is "only use reputable plugins" — but this misses the point. The question isn't which plugins, it's how quickly you know when one becomes dangerous.

What actually reduces risk:

# 1. Keep absolutely everything updated
# The exploitation window after a patch is published:
#   - 20% of sites exploited within 6 hours
#   - 58% exploited within 72 hours

# 2. Audit what's installed (less = less attack surface)
# Run a scan to see what's fingerprinted on your site
# wp-scan.org checks for CVEs tied to detected plugin versions

# 3. Delete, don't just deactivate
# Deactivated plugins still exist as files
# Files can still be exploited via direct path traversal

# 4. Never use nulled/pirated plugins
# See question #5

❓ #5 — "Are nulled WordPress plugins actually dangerous?"

Where it's asked: Reddit r/Wordpress, r/piracy, freelancer forums

Every week on Reddit there's a thread where someone admits to using a nulled plugin, asking if it's really that bad. The responses range from "definitely yes" to "probably fine if you scan it."

Here's the actual answer:

Nulled plugins are pre-infected by design.

The economics of nulled plugin distribution are not charity. Someone is stripping the license check and re-distributing because the malware they embed pays them. Most commonly: a remote-include shell, a call back to a C2 server, or a hidden admin account creation on install.

One of the social media posts I created about this visualises it well:

You install "nulled-avada-theme-v8.zip"
          ↓
On install: creates hidden admin user "wp_support_temp"
On page load: calls out to cdn-track[.]net/pixel.js (obfuscated payload)
On wp-cron: sends your site's contact form emails to attacker's list

The scan that catches this costs $0. The cleanup after you've been running it for six months costs $14,500 on average.

❓ #6 — "Why is Google saying my site is dangerous?"

Where it's asked: Reddit, Quora (extremely common), WP.org forums

Google's Safe Browsing database flags sites for:

Phishing — login form lookalikes, credential harvesting
Malware distribution — your site is serving exploit kits to visitors
Deceptive content — spam pages, affiliate injection
Unwanted software — drive-by downloads triggered on visit

The flag comes after Google's crawler detects it. Which means you've been infected for a while, your SEO is already damaged, and visitors have already been exposed.

The fastest path to unflagging:

Use Google Search Console → Security Issues to see what Google found
Run an external malware scan → wp-scan.org/malware-check
Clean the infection (use the scan report to guide exactly what to remove)
Submit a review request via Search Console

Most people start with step 3 (hiring a cleanup service) without understanding step 2. The scan takes 60 seconds and usually identifies the exact type of infection — saving hours of guesswork.

❓ #7 — "Is my WordPress version exposed? Does it matter?"

Where it's asked: Reddit, Stack Overflow, developer forums

Yes and yes.

WordPress emits its version in multiple places:

<meta name="generator" content="WordPress 6.x.x" /> in page source
readme.html at the site root
RSS feed headers
REST API responses (/wp-json/)
load-scripts.php and load-styles.php query parameters

Why this matters: attackers don't manually browse your site. They run scanners that fingerprint your version and cross-reference it against CVE databases. If you're running 6.4 and a critical RCE was published yesterday, your site is in the queue.

wp-scan.org/check-wordpress-for-malware checks for version exposure as one of its 22 scan checks — along with REST API exposure, XML-RPC status, user enumeration, and more.

❓ #8 — "What is user enumeration and why does everyone say to disable it?"

Where it's asked: Stack Overflow, WordPress.org forums, security blogs

WordPress's default author archive URLs (/?author=1, /?author=2) redirect to /author/username/ — which reveals your admin usernames to anyone who asks.

Once an attacker knows your username, brute-forcing the password is a straightforward automation task. The REST API (/wp-json/wp/v2/users) leaks even more.

# Attacker's perspective — two requests to get your admin username:
curl "https://yoursite.com/?author=1"
# → 301 redirect to https://yoursite.com/author/admin/

curl "https://yoursite.com/wp-json/wp/v2/users"
# → Returns JSON with all usernames, IDs, display names, avatars

wp-scan.org/wordpress-vulnerability-scanner checks both vectors as part of every scan.

The Gap Between "Concerned" and "Protected"

The Melapress 2025 Security Survey has one finding that ties everything together:

WordPress professionals rate security concern at 7.8 out of 10.
Yet 73% have no documented recovery plan if a breach occurs.

That's not laziness. It's the psychological distance between "this could happen" and "I know exactly how to check right now."

The tools to cross that gap exist, most of them are free, and one of them takes 60 seconds.

The 60-Second Check You Should Do Right Now

wp-scan.org/malware-check

It's an external WordPress security scanner. You enter a URL. It checks:

Check	What it detects
🦠 Malware signatures	PHP eval/base64 obfuscation, known webshell paths
🚪 Backdoor indicators	Dangerous file exposure (c99, r57, alfa.php)
🔓 Security headers	HSTS, CSP, X-Frame-Options, X-Content-Type
📁 Exposed files	`.env`, `wp-config.php`, debug logs
👤 User enumeration	Author archive + REST API leakage
🌐 XML-RPC status	Brute force amplification vector
📦 Plugin CVEs	Version fingerprinting + known vulnerabilities
🔄 Redirect behaviour	Spam/malware redirects invisible to owner
🔒 SSL/HTTPS	Mixed content, certificate issues
📋 Robots.txt	Hidden directories, disallow patterns

No plugin. No account. No credit card. Just a URL.

It scans from outside your server — the way an attacker, Google, or a visitor would see your site. That's the blind spot every internal security plugin has.

What to Do After the Scan

If your grade is A or B:
Great — but schedule a re-scan monthly. The 5-hour exploitation window means a clean site today can be a compromised site tomorrow after a plugin update.

If your grade is C or D:
You have issues but they're likely not active infections — missing security headers, version exposure, configuration gaps. These are the easy wins. Fix them before an attacker uses them as a stepping stone.

If your grade is F:
Stop. Don't dismiss it. An F grade means active indicators — malicious patterns, dangerous file exposure, suspicious redirects. Take the report seriously and address every finding.

The full report (available after entering your email) includes step-by-step fix instructions for every issue found.

The Real Summary

The WordPress security conversation online is dominated by:

Vague advice ("keep everything updated")
Tool wars (Wordfence vs Sucuri vs paid services)
Panic posts after the hack has already happened

What's missing is the thing that actually changes outcomes: a regular, external check that takes less time than making coffee.

13,000 sites are compromised today. Most of them would have shown warning signs on an external scan days or weeks earlier.

The scan is free. The information is real. The 60 seconds it takes is worth it.

→ Run a free scan on your WordPress site now

Sources & Further Reading

Built by Rajan Gupta — if this saved your site, the scanner is free at wp-scan.org. Drop a question in the comments.

DEV Community