How Many Websites Are Hacked Right Now — And Why Most Owners Never Know

1. The scale of the target: WordPress and the web

To understand the scope of website compromises, you first need to understand how concentrated the web really is. According to W3Techs, WordPress powers 42.2% of all websites on the internet as of 2026 — and holds 59.6% of the entire CMS market.

That concentration is a double-edged sword. WordPress is not inherently insecure, but its ubiquity makes it the single most attractive target for automated attacks. Attackers build tools that scan millions of sites per day looking for a known vulnerability in one popular plugin. They don't need to target anyone specifically — they cast the widest possible net.

The numbers bear this out: Sucuri's SiteCheck Malware Trends Report 2024, based on over 70 million website scans throughout the year, detected 1,176,701 infected websites — with WordPress remaining the dominant target by a wide margin.

2. How many sites are compromised right now?

This is the question no one can answer precisely — and that's part of the problem. Remote scanners can only detect what is visible from the outside. Server-side backdoors, injected database entries, and cloaked content served only to specific crawlers are all invisible to standard monitoring.

With that caveat in mind, Sucuri's SiteCheck scanner performed 70.8 million scans in 2024 and detected 1,176,701 infected websites — an infection rate of 1.66%, up from 1.15% the previous year. That is the floor, not the ceiling. Given that WordPress alone powers hundreds of millions of websites, even this conservative figure represents millions of actively compromised sites at any given time.

Google's own Safe Browsing Transparency Report reinforces this: Google scans billions of URLs per day and identifies thousands of newly unsafe sites every single day — many of which are legitimate websites that have been compromised, not sites intentionally set up for malicious purposes.

3. Why most owners never notice

The assumption that "I would know if I were hacked" is one of the most dangerous misconceptions in web security. Modern attacks are not designed to be destructive — they are designed to be profitable and persistent, which requires staying completely invisible to the site owner.

According to the IBM Cost of a Data Breach Report 2023, the average time to identify a security breach is 204 days — nearly seven months. And that figure covers organizations with dedicated security teams. For a freelancer managing 15 client websites, or a small business owner running a single WordPress site, the number is almost certainly higher.

How do attackers stay hidden for so long? The answer lies in how they design their attacks.

• The site looks normal to visitors. Malicious content is served selectively — only to search engine crawlers, only from specific referrers, or only on the first visit from a given IP.
• No performance degradation. Most SEO spam injections and cloaking scripts have negligible impact on load time, so the owner never receives a performance complaint.
• No client complaints. If visitors always see the correct content, no one calls to report a problem. The attack is transparent to everyone except the crawler.
• Backdoors survive cleanup attempts. Sucuri found that 49.21% of compromised websites had at least one backdoor at the time of infection — mechanisms that allow attackers to silently regain access even after partial remediation.

4. What attackers actually do on a compromised site

The most common payload is not ransomware or data theft — it is SEO spam. Sucuri's 2023 data shows that 20.30% of all remediated sites had SEO spam, and 42.22% of sites scanned remotely had at least one form of it detected. Attackers inject thousands of doorway pages into a site, exploit its existing domain authority, and redirect search traffic to gambling sites, counterfeit drug vendors, and phishing pages.

The most persistent variant is the Japanese keyword hack — found on 10.07% of all infected websites cleaned by Sucuri in 2023, making it the single most common malware type that year. In the same period, SiteCheck scanners identified Japanese SEO spam on a further 157,723 sites via remote scans alone.

What makes this particularly destructive is the use of cloaking: the malicious pages and content are served only to Googlebot, not to real visitors. The site owner loads their homepage and sees everything normal. Google's crawler loads the same URL and sees thousands of spam links or Japanese pharmaceutical pages.

This is not a technical edge case. It is the standard operating procedure for the most common attacks affecting WordPress sites today.

5. What happens when Google finds out before you do

Google does not wait for the site owner to notice. When its crawlers detect cloaking, injected spam, or malicious redirects, it acts on its own timeline — and the consequences arrive with no warning.

• Manual penalties. Google's Search Quality team can issue a manual action that removes the site from search results entirely, or suppresses specific pages. The notification arrives in Search Console — which most clients never check.
• Algorithmic demotion. Even without a manual action, Google may algorithmically reduce the site's ranking if it detects spam signals, cloaking behavior, or sudden content changes.
• Safe Browsing warnings. If the site is flagged for distributing malware or phishing content, Chrome and other browsers will show a full-page warning before visitors can access it. This effectively kills all traffic instantly.
• De-indexation of compromised pages. Injected doorway pages may be indexed under the legitimate domain for months before Google acts — but when it does, the collateral damage can affect legitimate pages too.

The business impact is direct. Organic traffic disappears. The client calls the freelancer who built the site. By that point, the attack has been running silently for months.

6. The specific risk for freelancers and small agencies

If you manage websites for clients — even a small portfolio of 5 to 30 sites — the risk multiplies with every site you add. Each site is a separate attack surface. Each one can be compromised independently. And none of them will tell you they have been hacked.

Sucuri's 2024 data found that the Balada Injector campaign alone recorded 149,351 detections, systematically targeting vulnerabilities in popular WordPress plugins. For a freelancer managing multiple client sites, keeping every plugin, theme, and core installation updated across the entire portfolio is a maintenance burden that often slips — especially for sites that are "finished" and no longer in active development.

The problem is not negligence. It is scale. Manual monitoring does not scale past a handful of sites. Logging into each dashboard to check for changes, running manual crawls to compare what Google sees vs what visitors see, reviewing server logs for suspicious patterns — none of this is sustainable when multiplied across a full client portfolio.

7. The detection gap: what you need to catch what's invisible

The core challenge with cloaking-based attacks is that standard monitoring tools are blind to them. Uptime monitors check whether the site returns a 200 status — it does. Visual screenshot tools capture what a browser renders to a normal visitor — which looks fine. Security plugins scan files on the server — but cloaking logic is often injected into the database, or loaded conditionally based on the request's User-Agent header.

The only reliable detection method is to crawl the site as Googlebot does — and compare the result to what a normal visitor receives. If the two responses differ significantly in content, links, or redirects, a cloaking attack is the most likely explanation.

This is exactly the technique CloakScan automates: a dual crawl on every monitored URL, comparing normal browser behavior against Googlebot behavior, running on a schedule so you are alerted the moment a discrepancy appears — not months later when the ranking damage is already done.