Skip to content
client story

How a WordPress site was compromised in 4 minutes and what we learned from it

One morning, Gerald, the marketing consultant for one of our clients, called to let us know he'd spotted 46 articles in Russian on the client's website. We don't read Russian, but we were fairly confident this wasn't legitimate content.

One morning, Gerald, the marketing consultant for one of our clients, called to let us know he’d spotted 46 articles in Russian on the client’s website. We don’t read Russian, but we were fairly confident this wasn’t legitimate content.

My first instinct was to log into the back-office and head straight to the users menu. Because if content was published, someone had the access to publish it. And there it was: three new profiles, created by neither the client nor the marketing agency.

The articles gave me scattered publication timestamps, but the account creation times pointed clearly to when the intrusion must have happened.

9:06 PM. The time of the crime.

By cross-referencing the server logs with the database, I was able to piece together a precise timeline. One evening in June, at 9:06 PM, an unknown IP address logged into the WordPress admin panel using a client account’s credentials. The login succeeded on the first attempt. No brute force, no repeated failed attempts. The attacker had the right access and the most powerful role available: administrator.

In under five minutes, they used a native WordPress tool to inject around forty Russian-language articles and create three subscriber accounts. Before logging out, they subtly modified the main administrator’s email address by removing a single letter, and submitted a pending admin email change request.

Then they were gone. Silently.

Before reporting back to the client, I removed the unwanted content, cleaned the injected data from the database, deleted the accounts tied to the intrusion, and changed every password. Every single one. I sent the same request to all users on the site.

But… why do any of this?

What this person or group carried out is called SEO spam, or black hat SEO: publishing dubious content loaded with links pointing to third-party sites — online casinos, rogue pharmacies, counterfeit goods. The goal is to exploit the victim site’s domain authority to boost the rankings of those destinations. As a bonus for the attacker, the victim site itself gets flagged by Google for bad practices, and its own rankings take a hit.

In this case, the strategy was straightforward: stay invisible for as long as possible while the Russian articles quietly got indexed by Google.

The email address altered by a single letter was their backup plan. If the client’s account had been secured in the meantime, the attacker could trigger WordPress’s official email change procedure and regain full admin access through the mailbox they controlled. Clever, and unsettlingly effective.

Why you should make changing passwords a reflex

The entry point here wasn’t brute force. Nothing was broken or forced. The attacker simply used… a copy of the key.

How did they get it? Good question. The password tied to that account was perhaps too weak, reused across other services, or had surfaced in a data breach. It’s a modern problem that tends to be underestimated: millions of email and password combinations circulate on underground forums, leaked from other services that users have long since forgotten about. All it takes is for one password to appear in a breach somewhere else for every account using that same password to become vulnerable.

For reference, you can check whether your email appears in any known breaches at haveibeenpwned.com. If it does, update every password associated with that address.

Several possible causes, one underlying problem

The fundamental rule is simple: one password per account. Modern life pushes us to sign up for everything : loyalty cards, banking portals, news sites. It all blurs together, and reusing the same password has become increasingly dangerous. You’re no longer just risking someone seeing your browsing history. You’re risking exposing genuinely sensitive data.

What this story teaches us more broadly is that a website isn’t a tool you leave to run on its own. It needs looking after. That means thinking carefully about access: there’s no reason to give someone an administrator role when their day-to-day use is just reviewing content. An editor role is perfectly sufficient, and it blocks access to sensitive features like the content importer or admin email settings.

A site that isn’t kept up to date is also a vulnerable site. Anything that falls behind on updates accumulates known vulnerabilities, and those will be exploited without hesitation by people with bad intentions.

Finally, active monitoring is an essential habit. Having a tool or a Gerald keeping an eye on the site is a valuable ally for catching suspicious logins and acting before it’s too late. Along the same lines, two-factor authentication remains the single most effective measure against this type of attack: even with the correct password, the attacker hits a wall at the second step.

Make sure your maintenance contract covers these aspects, because a well-maintained site isn’t an invulnerable one, but it is one that closes most doors before anyone tries to open them.

Let's talk