Imagine you run a WordPress site for your church, your local nonprofit, or your small consulting business. Everything looks fine. Your homepage loads, your blog posts are there, your contact form works.
But hidden in a subdirectory you've never visited, there's a fully functional e-commerce store selling counterfeit luxury handbags or knockoff electronics. It has product photos stolen from legitimate brands, a shopping cart, and a checkout page harvesting credit card numbers.
You didn't build it. You don't know it's there. But your domain is hosting it, and your site's reputation is helping it look legitimate.
This isn't hypothetical. At StoreLock, we discover hundreds of these compromised WordPress sites every month while monitoring for unauthorized use of our clients' brand assets. The pattern is remarkably consistent, and the site owners almost never know it's happening.
Why WordPress Sites Get Targeted
WordPress powers over 40% of the web, which makes it the largest target in existence. Attackers don't need to find your site specifically, they just need to find any vulnerable site, and the odds are in their favor.
Most WordPress sites are "set and forget." A business launches their site, maybe updates it once or twice, and then leaves it alone for months or years. Meanwhile, vulnerabilities are discovered in plugins and themes, exploits are published, and automated scanners sweep the internet looking for sites that haven't patched.
Small businesses and nonprofits are particularly vulnerable. They often lack dedicated IT resources, run on tight budgets, and reasonably assume that their modest website isn't worth a hacker's attention. Unfortunately, that assumption is wrong... attackers aren't after your data. They're after your server space and your domain's reputation.
How Attackers Get In
The entry points are well-documented and frequently exploited.
Outdated plugins and themes are the most common vector. When a vulnerability is discovered and published, attackers don't wait. Automated tools scan for sites running the vulnerable version and exploit them at scale. If you're running a plugin that hasn't been updated in six months, you're a target.
Weak credentials remain surprisingly effective. Many WordPress sites still use "admin" as a username, and brute-force attacks against /wp-admin are constant. If your password is anything close to guessable (use a password manager with unique passwords) or if you've reused it from another site that's been breached, you're exposed.
Abandoned plugins are a quieter risk. When a plugin developer stops maintaining their code, any vulnerabilities discovered afterward will never be patched. The plugin still works, so site owners leave it installed, unaware they're running software with known security holes.
File upload vulnerabilities in poorly coded plugins allow attackers to upload arbitrary files—including PHP scripts that give them full control over your site.
Compromised hosting environments can also play a role. On shared hosting, a weakness in one site can sometimes provide access to others on the same server.
What They Do Once Inside
Here's where it gets interesting and where the attack pattern we see at StoreLock becomes clear.
Once an attacker has access to your WordPress installation, they don't deface your homepage or do anything obvious. Instead, they create a hidden subdirectory: /shop, /store, /wp-content/uploads/2024/products, or something equally innocuous. Unless you're actively browsing your own file structure, you'd never notice it.
Into that directory, they upload a complete phishing storefront. These aren't crude fakes. They're often pixel-perfect clones of real Shopify stores, complete with stolen product images, legitimate-looking branding, professional layouts, and functional shopping carts. The checkout page collects credit card information that goes straight to the attacker.
The critical part: they leave your main site completely untouched. Your homepage works. Your blog posts are there. Your navigation is intact. There's nothing to alert you that anything is wrong.
With the phishing store in place, attackers drive traffic to it. Sometimes they use SEO poisoning, manipulating search results to surface the fraudulent store for product searches. Sometimes they run ads. The scam leverages your domain's age and reputation to appear trustworthy in search rankings and ad platforms.
The site owner becomes an unwitting accomplice. Victims who land on the phishing store see a URL that looks legitimate. It's an established domain, not a sketchy new registration, and they're more likely to trust it with their payment information.
Why Site Owners Don't Notice
This type of attack is specifically designed to evade detection.
You don't browse to subdirectories you didn't create. Why would you? Your site looks and functions exactly as expected. Unless you're regularly auditing your file structure or scanning for file and directory changes, and almost no small business owner is, you won't stumble across the hidden content.
Your analytics might not flag it either. Traffic to the hidden subdirectory won't show up in your normal page views unless you're specifically looking for it. And even if you glanced at server logs, traffic to /wp-content/uploads/products/ might not register as suspicious.
Sometimes, these stores live in virtual directories and are generated dynamically by the attacker.
Hosting costs may not spike noticeably. These phishing stores are lightweight. They're not running complex applications, just static pages with a checkout form. The resource usage might be invisible in your monthly bill.
Google Search Console warnings are easy to miss. If Google detects malware or phishing content, they'll flag it, but Google could miss it or those notifications go to an email address many site owners don't monitor closely, and the warnings can be cryptic if you don't know what you're looking at.
In our monitoring, we regularly find phishing stores that have been active for months before anyone notices.
The Collateral Damage
This isn't a victimless situation hiding on your server.
For the brand being spoofed, it's a direct attack on their customers and reputation. People searching for their products find a convincing fake (often offered at a cheaper price), hand over their credit card information, and either receive nothing or receive counterfeit goods. When they complain, they complain to the real brand.
For the WordPress site owner, the consequences can be severe. Your domain can get blacklisted by browsers and email providers. Your search rankings can tank when Google detects phishing content. In some cases, you could face legal exposure for hosting fraudulent commerce, even unknowingly. And if your site serves a church, nonprofit, or professional practice, the damage to your reputation with your own community can be significant.
For consumers, the harm is financial and personal. Stolen credit card numbers, fraudulent charges, and the frustration of realizing that "great deal" was a scam.
What to Do If This Happened to You
If you've discovered or been notified that your WordPress site is hosting content you didn't create, here's the immediate path forward.
First, contain the damage. Remove the malicious directory immediately, or take the site offline temporarily if you're not sure what else might be compromised.
Change all credentials. Every admin password, every FTP password, every database password. Assume the attacker has them all.
Audit your user accounts. Look for admin accounts you don't recognize. Attackers often create backdoor accounts so they can regain access after you've cleaned up the obvious intrusion.
Update everything. WordPress core, all plugins, all themes. If you're running anything that hasn't been updated in over a year, consider removing it entirely.
Scan for backdoors. This is where it gets tricky. Sophisticated attackers don't rely on a single entry point—they install multiple backdoors so they can return even after you've patched the original vulnerability. A basic cleanup might not catch everything.
Consider professional help. If you're not confident in your ability to fully audit your site and remove all malicious code, this is worth outsourcing. Wordfence Care and SolidFix both specialize in hacked WordPress site cleanup and can ensure nothing is left behind. The cost of professional remediation is minimal compared to the cost of getting re-compromised because you missed a hidden backdoor.
The Bottom Line
This attack pattern is common, quiet, and damaging to everyone involved. Legitimate businesses get their brands hijacked. WordPress site owners become unwitting hosts for fraud. Consumers lose money to convincing scams.
If StoreLock has contacted you about unauthorized content on your site, this is likely what's happened. You're not in trouble, but your site has been used as a tool in someone else's scam, and it needs to be addressed.
The good news: this is fixable. Clean up the compromise, harden your security, and your site goes back to doing what it was supposed to do. The key is acting quickly and thoroughly.
