Across the internet, approximately 30,000 websites are hacked every single day [astra security]. When a website is hacked, it can be a shocking and bewildering experience. Many business owners wonder what on earth could motivate someone to hijack and vandalise a small website. How could hackers possibly make a profitable business in doing this?
The Business Model of Hacking
A business model outlines “how a company creates, delivers, and captures value”. Not all businesses create value, but any profitable business must at least capture value. This post explains how hackers capture and extract value from compromised websites.
Black hat SEO
Google boosts websites based on “backlinks”. Like any other website, grey market sites compete to get to the top of Google’s search results. Imagine a Russian pharmacy that sells prescription pills and ships internationally, if they want to come up when someone searches for “Buy viagra online”, they will need other websites to link to their site.
But Google not all backlinks are equal in Google’s eyes, the most potent backlinks come from websites with good reputation ( the kind that would never normally link to a Russian pharmacy). That’s where the hacker comes in – by taking over a website with good reputation, they can forcibly insert backlinks to the Russian pharmacy, artificially boosting its reputation with Google.
The hacked website will be defaced, either with links to the Russian pharmacy inserted in every few paragraphs, or having its content completely replaced with an advertisement. The advertisement may look bizare, it may leave you wondering who on earth would fall for it, but it’s not designed to convince humans. Just to convince Google that the pharmacy is reputable, and should be put at the top of its search rankings.
Spam
Site owners often find out their website has been hacked when they get a notification from their web host telling them that their website has been sending spam email. Sending spam email might seem dated but the spam ecosystem is alive and well in 2025. Spam is actually one of the primary ways that hackers make money directly. By sending 10,000 fake bank login pages, they may get one or two compromised bank accounts which can then be sold on the dark web for $1000s each.
Inboxes such as gmail will try to block spam, any server found to be sending spam will be blacklisted as a spammer. That’s why hackers need to compromise websites, a freshly compromised website often has a “clean” reputation and its emails will go straight to the inbox of unsuspecting users, who may interpret them as legitimate and fall for the scam.
Rather quickly, the hacked website’s email reputation will be destroyed and even normal emails will have problems being delivered. After recovering, the site owner may have to migrate to a different server at a minimum, and take other steps to restore their email deliverability.
Other “offerings”
There are other methods that hackers use to make money from a hacked website including:
- Drive by downloads
- Stealing client data
- Ransomware
- Hacking payment processor accounts
- Botnets
- Hacking other websites or infrastructure
But for this article I’m mostly focusing on a theme which is the core of how hackers make money from a stolen website:
Liquidating your businesses reputation
I see a strong theme emerging when it comes to hackers business models, whether they’re using your Google reputation to boost a Russian pharmacy, or using your Email reputation to send phishing emails. Hackers liquidate your online reputation, and turn it into their short term profit.
As a small business owner, I know that reputation is the most valuable asset you have. A business that has their website hacked may see their online leads dry up overnight and their business email bounce or get flagged as spam. Current clients will generally understand that this can happen, but it certainly doesn’t project an image of competence. New clients however may never reach you if you have been blacklisted by Google.
It does seem that for the damage they cause, hackers make only a pittance, and I think this is true. However, doe to the volume and the fundamental business model of scams and blackhat SEO, I don’t think that hackers are going away anytime soon.
How to cost effectively hack WordPress sites
Just like any other business, hackers look to provide their “services” as cost effectively as possible. There is little reason to spend hours targeting one individual website, when scripts can trawl the internet for websites with simple vulnerabilities.
Target known vulnerabilities in outdated themes and plugins
For better or for worse, there is a culture of disclosing security vulnerabilities in open source software like WordPress. Using tools like WordFence’s vulnerability database, and attacker can find vulnerabilities which let them compromise any website with the affected version of the plugin or theme. Once an exploit script is developed, they crawl the internet and attempt the exploit on as many websites as possible, if the website has the vulnerable plugin, it will be hacked, if the plugin has been patched, the website doesn’t use that plugin, or a WAF with up to date rules blocks the attack, no harm will be done.
Target weak admin passwords
In 2025, many administrators are guilty of still using weak or compromised passwords. The attacker crawls the internet attempting to log in to website with:
- Popular passwords.
- Public lists of top passwords found in real data breaches are published.
- Reused passwords.
- Even if the password is incredibly secure, if it has been reused between sites and one of them gets breached, it may be known to hackers.
How to cost effectively defend a WordPress site
You can spend 10,000s on specialised security audits and other defensive security measures, but you can also cost effectively defend a WordPress site by making sure you’re not an easy target:
- Update plugins/themes/core
- Install a web application firewall (WAF)
- Rate limit login attempts
- Use a strong, unique admin password (or 2FA)
- Set up monitoring
If you do all these things, you are very unlikely to be one of 30,000 sites getting hacked every day. And even if you are, you may be able to avoid damage in time to save your reputation.
What to do if your WordPress site gets hacked
If you notice that your WordPress site has been hacked, you should act as quickly as you can to protect your reputation. The first thing that I would recommend a non-technical business owner to do is to send an email to their webhost alerting them that the site has been hacked and ask them to take the site offline temporarily. Some hosts allow you to take the site offline yourself from their dashboard, and on others it can be done by modifying the .htaccess file or uploading a .maintainance file. Once the site is offline, you can breath, assess your situation and come up with a plan for kicking out the hackers and restoring your site. Please don’t hesitate to contact me directly.
From a competitor: What to do when your site gets hacked. https://wpsiteplan.com/blog/wordpress-hacked-what-to-do-and-how-to-recover/
safewp’s cost effective WordPress security offering
At safewp, we take the following measures to protect your site:
- Weekly updates
- Regular offsite backups
- Configure a quality Web Application Firewall (WordFence)
- Configure immediate virtual patching (PatchStack)
- Rate limit login attempts
- Limit spam form submissions
- Audit admin accounts and passwords
- Harden the web server and hosting
- Regular malware scans
- Constant monitoring for malware or suspicious activity
- Constant monitoring for any changes to the website.
What sets us apart from other WordPress security maintenance plans is the quality of the hardening, support, and monitoring. The truth is that even if all cost reasonable countermeasures are taken, there is still a small chance that a site can be compromised due to a 0-Day exploit or other advanced attack. We spend a lot of time and effort ensuring that our monitoring is cohesive, robust, and accurate.
On multiple occasions we’ve been able to detect that a website was completely compromised before any damage was done to the business’s reputation. We then removed the hackers, closed the breach, restored the site to security, and let the owner know that a severe incident had occurred, but was safely handled without any impact to their business. That’s the outcome we aim for, in a worst case scenario.