Table of Contents 7 sections
What Is Cryptojacking?
Cryptojacking is the unauthorized use of your computing resources to mine cryptocurrency for someone else. Mining is expensive because it burns processing power and electricity, so attackers steal those resources instead of paying for them. When your WordPress site is cryptojacked, either your server or your visitors' devices are put to work generating coins for the attacker, and you pay the cost in performance, hosting bills, and reputation.
The Two Forms of Cryptojacking
1. Server-Side Mining
The attacker installs a mining program directly on your hosting after compromising the site. It runs quietly in the background, consuming CPU and memory. The result is a slow site, high resource usage, and often a warning or suspension from your host for abuse.
2. Browser-Based Mining
The attacker injects a JavaScript miner into your pages. The mining then runs in the browser of every visitor while they are on your site. Their device does the work, so your server load may look normal, but your visitors experience sluggish devices, spinning fans, and draining batteries, and your reputation suffers.
Warning Signs of Cryptojacking
- A sudden, sustained spike in server CPU usage with no traffic increase to explain it.
- Noticeably slower page loads and a sluggish admin dashboard.
- Higher hosting bills or a resource-abuse warning from your provider.
- Visitors reporting that their device heats up or slows down on your site.
- Unfamiliar scripts loading from domains you do not recognize.
How the Miner Got In
Like most WordPress infections, cryptojacking starts with a break-in through a familiar door:
- An outdated plugin, theme, or WordPress core with a known vulnerability.
- A weak or reused admin password compromised through brute force or credential stuffing.
- A previously planted backdoor from an earlier compromise.
The mining code is the payload. The vulnerability is the cause, and it must be fixed or the miner will return.
How to Remove Cryptojacking
- Confirm the infection by checking server processes for unknown high-CPU tasks and reviewing your pages for injected scripts.
- Back up the site before making changes.
- Stop and remove the mining process or script from the server.
- Clean injected code from theme files, wp-config.php, and the database.
- Replace core and plugin files with fresh official copies.
- Delete backdoors and unknown admin users, then reset all passwords.
- Update everything and patch the vulnerability that allowed entry.
How to Prevent Cryptojacking
- Keep WordPress, plugins, and themes updated.
- Use strong, unique passwords and two-factor authentication.
- Monitor server resource usage so an unexplained CPU spike is caught quickly.
- Use a Content-Security-Policy to limit which scripts can run in the browser.
- Run regular external scans to catch a compromise before it drains your resources.
How to Detect a Compromise Early
Our WordPress Security Scanner flags outdated components, missing security headers, and blocklist status, the conditions that let cryptojacking take hold. Run a free scan to make sure your server and your visitors are not mining for someone else.
FAQ
Frequently Asked Questions
Cryptojacking is the unauthorized use of someone's computing resources to mine cryptocurrency. On WordPress it takes two forms: server-side mining that runs on your hosting, and browser-based mining that runs a script in your visitors' browsers while they are on your site.
Common signs include a sudden spike in server CPU usage, slow page loads, higher hosting bills, your host warning about resource abuse, visitors reporting their device fans spinning up or batteries draining, and unfamiliar scripts loading from unknown domains.
Through the usual entry points: a vulnerable outdated plugin, theme, or WordPress core, or compromised admin credentials. Once inside, the attacker installs a mining script on the server or injects browser-based mining code into your pages.
It does not steal their data, but it hijacks their device to mine for the attacker. This slows their computer or phone, drains battery, increases their power use, and damages your reputation. Browsers and security tools increasingly block known mining scripts.
Identify and stop the mining process, remove injected scripts from files and the database, replace core and plugin files with clean copies, delete backdoors and unknown admin users, update everything, and patch the vulnerability that allowed entry so the miner does not return.
Tags
Related Posts
Zero-Day Plugin Exploits on WordPress: Attacks Before a Patch Exists
A zero-day plugin exploit attacks a flaw before the developer has a fix. Learn what makes them dangerous and how to reduce your exposure to the unknown.
Card Skimming and Magecart on WordPress: How Attackers Steal Payment Data at Checkout
Card skimming injects invisible code into your checkout to steal customer payment details. Learn how Magecart-style attacks hit WooCommerce and how to stop them.
SEO Spam and Pharma Hacks: The Hidden Injection Draining Your WordPress Rankings
SEO spam injections hide thousands of spam pages and links inside your WordPress site to boost someone else's rankings. Learn how to find and remove them.