What Is Malvertising and How to Avoid It in WordPress

What Is Malvertising and How to Avoid It in WordPressMalvertising is a method hackers use to display adverts on websites. Such ads are harmful as they can lead your users to phishing or scam websites.

The tricky part is that the malware is hard to detect. Your site may display infected ads without you knowing.

In this guide, we will explain what malvertising is and how it works. You will also learn how this malware infects websites. Finally, we will provide tips on how to prevent malvertising attacks in WordPress.


What is Malvertising?

Simply put, malvertising is malicious advertising. It is the process of injecting malware into a legitimate online advertising network. When users click on the fake ad, the malware will redirect them to a different website. It may also install malware on their device.

Online advertising comprises ad publishers (such as a website owner), advertisers, servers, and retargeting networks all working together.

When a user clicks on an ad, multiple redirections occur between the servers and the ad platform. Attackers can use exploit kits to inject bad codes into one of the servers so that it goes to a link they specify. This makes it hard for the ad network to identify the malware.

Malvertising can perform the following when a user clicks on bad ads;

  • Automatically install malware on the user’s computer, usually through driveby download attacks.
  • Monitor your browsing activities and get access to sensitive information such as passwords.
  • Crash your system.
  • Force redirect users to a website intended by the hacker.
  • Users can also be redirected to a clone of the advertiser’s website (in the case of phishing scams).

Types of Malvertising Campaigns

There are different forms to display adverts on your website as a publisher. Hackers may pose to be legit advertisers looking to rent an ad space.

Instead of displaying legitimate ads, they inject malware into their advert codes. This malware can redirect users to scam websites.

As highlighted above, they can also infect legitimate ad networks and get them to do their bidding.

Below are the popular ad formats attackers use to distribute malware.

Content/Text Malvertising

This ad format blends with the content of the page. They are usually present as external links on your blog posts. Some WordPress blog owners accept sponsored posts on their websites. Hackers may sponsor a post on the website and include malvertising codes in their advert. If you do not review adverts on your site, you may end up publishing the post with malicious content.

Banner Malvertising

Online advertising networks use banner ads to display advertisers’ content on websites. As a publisher, you add a script from the ad network. After that, they will dynamically display the banner (polyglot image) ads on your website.

Hackers may register as advertisers on ad networks to promote their malware on publisher websites.

iFrame Malvertisement

Developers often use inline frames to display content on a website from an external source. This uses the HTML <iframe> tag. Hackers may use this format to display ads that redirect users to a phishing website.

Popup Malvertising Ads

This ad format is most often the target of malvertising attacks. The ad pops up on the page after a specified period. It uses javascript to set timeouts for the popup ads.

Attackers install the malware in the advertisers’ network (if there is a security breach on their servers). They then distribute the ad malware to publishers using the network.

Push Notification Malvertisement

Advertising networks have a push notification format that displays as a notification on the user’s device. Some of these notifications may contain misleading adverts.

So when a user clicks on the ad, the malware will redirect them to a different website. The content of the ads is usually misleading. For example, promising users free coupons or saying they won a lottery.

What is malvertising

How Malvertisements are Published on Legitimate Websites

Even legitimate websites may display malvertising ads without the owner’s knowledge. Here are a few ways hackers attack websites.

Third-party Advertising Networks

Website owners (publishers) partner with online advertising networks to display adverts on their websites.

The ad exchange platform serves as an intermediary between advertisers and publishers. Hackers may pose as legit advertisers and add their malicious code to the advertisers’ network.

There are millions of advertisers on some of these networks. Therefore, vetting all advertisements will be difficult.

If the advert passes the verification from the ad network, the code is sent out to publishers that work with the advertising network. So, the malicious ad is displayed on their websites.

Advertise Directly on the Website

Publishers may sell ad spaces on their websites to generate revenue. Attackers can use this medium to run a malvertising campaign on the target website.

The advert code may appear legit from the site owner’s perspective. However, it can contain scripts that redirect users or install malware on the user’s device.

Exploit Vulnerabilities on Web Hosts

If your hosting provider is not using a secure connection, hackers may exploit this security issue. Through your hosting server, they can send harmful scripts to your website.

The code will display malicious ads on your website. These ads can redirect users to malicious websites or install malware on their devices.

How Malvertising Affects Publishers

If users complain about misleading adverts on your WordPress site, it can ruin your brand reputation. In addition, you will lose revenue and SEO ranking.

Search engines frown at spamming websites. If your site is reported to mislead users with ads, search engines may blacklist your website.

Most advertising networks display ads dynamically from millions of advertisers. This makes it difficult to scan and remove malicious advertisements on your website. For this reason, you need to protect your WordPress site from these security threats.

Tips to Protect Your WordPress Site from Malvertising Threats

This section will explain some of the steps to protect your website from online threats.

Avoid Using Nulled Themes and Plugins

Nulled themes and plugins are the leading cause of malicious advertising in WordPress. Some attackers include scripts on nulled themes that can install malware on your website.

The malware will display advert links on your website. The hacker usually specifies the destination URL. With this, they are able to make money from your website traffic.

So avoid using nulled themes and plugins on your website. What seems to be free software, may cost you more in the future.

If you need to use a premium tool, it is best to pay for it. You may think you are getting the theme or plugin for free, but your site may suffer greater losses.

Perform Regular Software Updates

WordPress constantly rolls out updates on the software. This can be new features or bug fixes. So whenever there is an update for WordPress, ensure you install it on your website.

Also, if you fail to update your theme and plugins regularly, hackers can use them to compromise your website. When this happens, they will install malware on your WordPress site. And the malware can display malvertising content on your website.

To protect your site, you need to update your theme and plugins as soon as updates are rolled out. This ensures you have the latest version of the software. It also protects your site from cyber attacks.

Display Adverts from Trusted/Verified Networks

For bloggers who want to monetize their websites, there are many advertising networks available. Some of these networks, however, do not verify the profiles of their advertisers. Such ad networks allow attackers to register as advertisers.

Displaying ads from the infected network redirects your users to scam websites.

You should only work with online advertising networks you trust to protect your brand. Additionally, their servers should be secure.

Do well to read reviews about the online ad network you intend to partner with.

Use a Security Plugin

Security plugins are essentially software that provides real-time protection for WordPress users. If you run a business website, blog, online store, etc, your site will be a target for hackers.

Security plugins run checks on your website to detect any security issues. If there is any malware on your site, the security plugin will detect it.

You can then use the malware removal feature on your security plugin to clean up your website. We have a guide on fixing malware infection issues in WordPress.

Alternatively, you can request our Malware removal service. Our experts will scan and remove any malware on your WordPress site.

Use Secure Web Hosts

If you are using an insecure web host, your site may fall victim to malvertising. Poor web hosting providers tend to be victims of malicious attacks.

You may have opted for a cheap/unreliable web host when you launched your website. While their services may help you get started, you need to upgrade to a more secure web host.

A reliable web host will protect and speed up your WordPress website. You can check our guide for the recommended hosting for WordPress sites.

How to Protect Yourself Against Malvertising

As a website user, malvertising ads can also affect your device while browsing an infected website. The tips below will protect you from online threats.

Install an Antivirus Software

Antivirus programs are tools that protect your device from cyber-attacks. These attacks can occur when surfing the internet or transferring files from one device to another.

When you install the software, it regularly scans your device for malicious software. If found, it will prompt you to remove the malware from your device.

Install an Adblocker Software

Using ad blocker software protects your site from suspicious adverts. These are usually pop-up ads that promise to reward you for taking action.

Avoid Clicking on Spam Links

Some ads can be annoying and misleading especially when you want to download a file on a website. You should take precautions and avoid clicking on suspicious links.

Another way to protect yourself from malvertising attacks is to download software from official sites. Hackers usually add malware on nulled software. So when users install such software, the attacker can use it to access sensitive user data.

Finally, ensure you are using a secure browser on your device. This helps to improve data security while accessing web pages.

How do I Get Rid of Malvertising?

If your website is infected with malware, you may have difficulty identifying the source. Oftentimes you won’t even realize you are affected.

To restore your website, you need to identify the source of the malware. The first place to look is the ad network you work with. You can try removing all the ad codes from your website to see if the malware will disappear.

If it stops showing, then one of the ad scripts is infected. You need to remove the faulty code. We recommend recopying all the ad codes from the advertising network. Chances are your script has been tampered with by an attacker.

Another way you can resolve this issue is to use a security plugin with malware removal feature. The plugin will scan and remove any trace of malware from your WordPress site.

You may need to request professional help if the issue persists on your website.

Malvertising vs Adware

Malvertising and adware are often confused. Although both use malware, their functions differ. Malvertising uses online advertising to distribute malware on user devices. Adware on the other hand is a type of malware used to display adverts on websites. The adverts may not contain malware. However, they are not user-friendly and affect your site’s user experience.

Frequently Asked Questions

What is malvertising?

Malvertising, or malicious advertising, is a cyber threat where cybercriminals use online advertising networks to distribute malware or unwanted software through seemingly legitimate ads. These ads can appear on popular websites, including WordPress sites, and can compromise user data or site security.

How does malvertising affect WordPress sites?

Malvertising can negatively impact WordPress sites by infiltrating the site through ads and exploiting vulnerabilities in plugins or themes. This can lead to the distribution of malware to site visitors, causing performance issues, damaging the site’s reputation, and potentially leading to penalties from search engines.

What are the most common types of malvertising?

The most common types of malvertising include:

  • Exploit kits: These automatically probe for security vulnerabilities in software and deliver malware if a weakness is found.
  • Drive-by downloads: These infect users’ computers without their knowledge or consent when they visit a compromised website.
  • Rogue software: These are fake or malicious programs that trick users into installing them.

How can I protect my WordPress site from malvertising?

To protect your WordPress site from malvertising, follow these best practices:

  • Keep your WordPress core, plugins, and themes up-to-date.
  • Use reputable ad networks for displaying ads on your site.
  • Use a security plugin to scan your site for vulnerabilities and malware.
  • Enable auto-updates for your themes and plugins.
  • Implement strong access control by using strong passwords and two-factor authentication.
  • Regularly backup your site and store backups off-site.
  • Limit the use of third-party plugins and themes, and only use those from trusted sources.
  • Monitor your site traffic and analytics for any unusual activity.
  • Use a web application firewall (WAF) to protect your site from malicious traffic.

How do I remove malvertising from my WordPress site?

To remove malvertising from your WordPress site, follow these steps:

  • Scan your site for malware and vulnerabilities using a security plugin or a third-party service.
  • Update all plugins, themes, and the WordPress core to their latest versions.
  • Remove any suspicious or malicious code identified during the scanning process.
  • Change all passwords and security keys, including those for your hosting account, WordPress admin account, and FTP.
  • Restore your site from a clean backup, if necessary.
  • Implement security measures to prevent future malvertising attacks, as outlined in the previous FAQ.

How can I tell if my WordPress site has been affected by malvertising?

Some signs that your WordPress site may have been affected by malvertising include:

Unexpected ads or pop-ups appearing on your site.
A sudden decrease in site performance or loading times.
Unusual spikes in traffic or specific user behavior patterns.
Receiving reports from users about malware warnings or infections related to your site.
Search engines flagging your site as unsafe or penalizing it in rankings.

Can I report malvertising attacks?

Yes, you can report malvertising attacks to the affected ad network, web hosting provider, or security organizations like the Internet Crime Complaint Center (IC3). Reporting malvertising attacks helps raise awareness about these threats and contributes to the ongoing efforts to combat cybercrime.

Are there any tools or services available to detect and prevent malvertising?

Yes, there are several tools and services available to help detect and prevent malvertising on your WordPress site. These include:

  • Security plugins like Wordfence, Sucuri, and iThemes Security that scan your site for vulnerabilities and malware.
  • Web application firewalls (WAFs) like Cloudflare or Sucuri that protect your site from malicious traffic.
  • Ad verification services like Confiant or GeoEdge that scan ads for malicious content before they are displayed on your site.
  • Managed WordPress hosting providers that offer built-in security features and regular scanning for malware and vulnerabilities.

Can ad blockers help prevent malvertising?

Yes, ad blockers can help prevent malvertising by blocking ads from being displayed on websites. However, ad blockers may not protect against all types of malvertising, and they may also have unintended consequences, such as blocking legitimate ads and reducing revenue for website owners. It’s important to balance security concerns with the potential impact on your site’s revenue and user experience.

Is it possible to prevent all types of malvertising attacks on my WordPress site?

While it is challenging to prevent all types of malvertising attacks, following best practices and implementing strong security measures can significantly reduce the risk of your WordPress site being affected by malvertising. Regular updates, using trusted plugins and themes, and employing security tools can help you maintain a safe and secure site for your users.


You should be cautious with the networks you work with if you are using online ads as a source of revenue for your website.

Adverts can help you earn from your WordPress blog. But when your site is infected with malvertising, it affects your brand reputation.

In this guide, we described how WordPress sites can be infected by malvertising. We also shared tips to protect your site from such attacks.

For more tips on how to secure your WordPress site, please check our WordPress security guide.

 This post was written by Mesheal Fegor

Mesheal Fegor is a Web/WordPress Developer and technical writer. His WordPress help articles have been featured on Kinsta and other sites. Mesheal holds a master's degree in computer science. His writing focuses on technical WordPress issues, ranging from core WordPress problems, to issues with WooCommerce, and more.

Last edited by: FixRunner Team