Introduction: When a WordPress Website Is Attacked Without Warning
Website security issues often appear without any early signs. One day your website is working fine, and the next day it is down, showing server errors, consuming excessive resources, or behaving unpredictably. In many cases, these issues are not caused by hosting limitations or traffic growth but by hidden bot attacks and deeply embedded malicious files.
In this blog, we share a real-world experience where a WordPress website was hit by an aggressive bot attack that exhausted server bandwidth, followed by the discovery of advanced malware that was deliberately hidden from the WordPress admin panel. We explain how the issue was identified, how the website was cleaned and secured, and the critical lessons every website owner should learn to avoid similar attacks.
How We Resolved a 509 Bandwidth Exceeded Error and Uncovered Advanced WordPress Malware
At the beginning of the month, our website suddenly started showing a 509-bandwidth exceeded error, causing downtime and serious performance issues. This error usually indicates that the website has consumed more bandwidth than allowed by the hosting provider, but what we discovered went far beyond a simple bandwidth spike.
After investigating the issue with our hosting provider, we discovered that a bot originating from China was aggressively crawling image files from the WordPress media library. This resulted in bandwidth usage exceeding 1TB, which is extremely high and unsustainable.
As an immediate action, we asked our hosting provider to block traffic from China. This temporarily resolved the bandwidth issue, but it was not a permanent or reliable solution. Bot attacks can originate from any country, and relying solely on IP based blocking is not enough.
To address these challenges, we took the following security and performance measures:
Step 1: Implementing Cloudflare to Prevent Bot Attacks
To create a stronger defence layer, we decided to move the website to Cloudflare. Cloudflare acts as a reverse proxy, serving cached resources from its global network and blocking malicious traffic before it reaches the server.
This change successfully resolved the 509 error by reducing server load and preventing bots from directly accessing website resources such as images and scripts.
We also installed Wordfence Premiumand enabled country blocking rules to add another layer of protection.
Step 2: Discovering Hidden and Advanced WordPress Malware
Although the bandwidth issue was resolved, we decided to run a full security scan to ensure the website was safe. What we discovered was one of the most advanced and dangerous malware infections we had ever encountered.
The scanner identified a suspicious folder inside wp-content/plugins/wp-core containing a file called core.php
At first glance, it appeared to be a normal plugin. However, it was not visible in the WordPress admin plugins list, which immediately raised concerns.
Step 3: How the Malware Was Hiding Itself
After analysing the file thoroughly, we discovered that the malware was using WordPress hooks to:
- Hide itself from the plugins list
- Hide other malicious plugins
- Inject additional plugins without admin knowledge
We also found an Elementor folder inside the plugins directory, even though Elementor was not installed or used on the website. Deep inside nested folders, malicious files were hidden.
Additionally, the malware was injecting compromised versions of plugins such as WP File Manager, turning legitimate plugins into malicious ones.
Step 4: Why Simply Deleting Malware Is Dangerous?
Many people make the mistake of deleting the detected malicious file and assuming the site is clean. In reality, advanced malware often:
- Creates additional hidden files
- Modifies existing WordPress core files
- Injects code into installed plugins
- Reinfects the site automatically
By carefully inspecting the malicious files instead of deleting them blindly, we were able to trace and remove every injected component. After a complete cleanup, we ran another security scan to confirm the site was fully clean.
Step 5: Strengthening WordPress Security
After removing all malicious files, we implemented additional security hardening.
1. Disabled file editing and file modification by adding these lines to wp config php:
define( ‘DISALLOW_FILE_EDIT’, true );
define( ‘DISALLOW_FILE_MODS’, true );
2. Updated WordPress core, all plugins, themes, and PHP to stable supported versions.
Step 6: Improving Website Performance with LiteSpeed Cache
Once security was restored, we focused on website performance. Since our hosting supported LiteSpeed Cache, we installed the LiteSpeed Cache plugin and configured it properly.
This significantly improved page speed, reduced server load, and helped the website run smoothly again.
Step 7: Preventing Directory Exposure
Another important security improvement was disabling directory browsing. Exposed directories can reveal sensitive information, making it easier for attackers to explore website files.
Step 8: Solving 503 Error and CPU Overload Issue
Even after these fixes, some WooCommerce product pages displayed a 503 service unavailable error after long load times, while CPU usage spiked to critical levels.
By switching to a default WordPress theme, we confirmed the issue was theme related. Outdated WooCommerce support code inside the theme was causing excessive server load. Removing this unnecessary code resolved the issue completely.
Final Security and Performance Lessons
This incident highlights why WordPress security should never be taken lightly.
- Bot protection and firewalls are essential
- Malware can hide deeply inside plugins
- Deleting files without investigation is risky
- Themes, plugins, WordPress, and PHP must be kept updated
- Performance issues can also be security related
By following these best practices, websites can remain secure, fast, and resilient against future attacks.
