WordPress Ad Fraud Scheme Sends 1.4 Billion Fake Ad Requests Per Day, Putting PPC Budgets At Risk

A large-scale ad fraud operation has been found hijacking vulnerable WordPress sites and generating around 1.4 billion ad requests every day, according to researchers who tracked the activity for months. For PPC advertisers, that volume of invalid traffic can quietly distort performance data, drain budgets and make it harder to scale profitable campaigns across Google Ads, Meta Ads and Microsoft Ads.

How the WordPress ad fraud operation works

The operation relies on compromised WordPress installations. Attackers exploit weak plugins and outdated software to gain access, then inject scripts that load hidden ad slots and generate automated ad requests in the background.

Instead of human visitors actually viewing ads, infected pages trigger requests that look like legitimate display or video impressions. In some cases, the hijacked sites are loaded within invisible iframes or redirected through chains of domains so the final ad call appears to come from a seemingly normal publisher environment.

From an ad platform’s perspective, the traffic can initially appear valid: there is a URL, a device, a browser and a user agent. But the behavior is synthetic, with no real user intent behind the impressions or clicks.

Key findings from the investigation

Researchers monitoring the operation highlighted several headline metrics and tactics that matter for advertisers and agencies:

• Scale of activity: roughly 1.4 billion ad requests are generated per day, with traffic distributed across a large number of compromised WordPress sites.
• Use of legitimate infrastructure: hijacked domains are real websites, which helps the fraud blend into normal programmatic supply.
• Obfuscation techniques: the operation uses multiple redirect hops and script injections to conceal the original source of the traffic.
• Cross-environment impact: the fake ad requests can hit multiple ad exchanges and SSPs, reaching campaigns that run across different programmatic platforms.
• Persistence: compromised sites can stay infected for long periods if owners are unaware of the intrusion or slow to update vulnerable plugins.

For performance marketers, this combination of scale, realism and persistence makes the operation particularly damaging. The fraud is not limited to one niche network; it can contaminate campaigns that otherwise look well targeted.

Why this matters for PPC and performance marketers

While the scheme focuses on ad requests and impressions, its impact spills into PPC performance in several ways. Invalid impressions feed into audience lists, remarketing pools and algorithmic bidding signals. If you are retargeting users who supposedly saw your display ads, and a portion of those impressions were fake, your remarketing campaigns can be built on polluted data.

Automated bidding strategies that optimize for conversions or target CPA also rely on historical data about where conversions appeared to originate. When fraud operations like this flood reporting with non-human interactions, bidding models may shift spend toward placements, geos or audiences that are actually driven by fake traffic.

That leads to classic PPC symptoms: rising CPAs, dropping conversion rates, unexplained spikes in impressions and odd placement reports that are hard to replicate in controlled tests.

How hijacked WordPress sites distort traffic quality

Because the operation abuses real websites, it can evade simple blacklist-based protection. A publisher might have a long history of clean traffic, then suddenly begin sending fraudulent ad requests after a plugin vulnerability is exploited. Blocking only on domain reputation is no longer sufficient.

Fraudsters also rotate through many compromised domains, so patterns shift quickly. You might see a surge of impressions from one group of sites one week and a completely different set the next, even though the infrastructure behind the scheme is the same.

From ClickPatrol’s perspective, the more important signals are behavioral. Invalid sessions generated by these schemes often share characteristics such as unnatural scroll depth patterns, impossible time-on-site distributions or repeated short bursts of clicks and views from the same environment. These are the types of indicators we monitor per click to separate genuine users from automated traffic.

Red flags advertisers should monitor

PPC specialists should not rely solely on platform fraud filters. There are several practical red flags that can help you spot spillover from WordPress hijack schemes and similar operations:

• Sudden spikes in impressions or clicks from previously unseen placements or publisher domains.
• Sessions with extremely low engagement metrics compared to your baseline, such as near-zero scroll or instant bounces despite high click volumes.
• Clusters of traffic from specific regions or ISPs that do not match your target customer profile.
• Large gaps between reported clicks and on-site tracked events, such as pageviews, add-to-carts or lead form starts.
• Unusual patterns in remarketing audiences, for example explosive growth in a short period without matching conversion growth.

When these symptoms appear together, the underlying issue is often systematic invalid traffic, not just a bad creative or weak landing page.

Impact on measurement, attribution and bidding

A fraud scheme pushing 1.4 billion ad requests per day does not just waste impression spend. It quietly undermines measurement and attribution across your whole funnel.

Attribution models may assign credit to display impressions that never had a real viewer. That can make some channels or campaigns look stronger on assisted conversions than they truly are, shifting budget away from genuinely effective traffic sources.

Similarly, when click fraud rides on top of these ad request patterns, cost-per-click metrics stop reflecting real user intent. You pay for activity that can never convert, while algorithms continue to bias toward those placements based on distorted conversion logs.

For agencies managing multiple accounts, this becomes a compounded risk. A single fraud operation can touch many clients at once, especially when campaigns share similar targeting across the open web.

How ClickPatrol helps protect PPC budgets

At ClickPatrol, we approach this type of threat by examining each click and session through multiple behavioral and technical signals rather than trusting surface-level attributes like domain name or user agent alone.

When our systems detect patterns aligned with hijacked-site schemes, such as highly repetitive behavior, impossible engagement metrics or suspicious device and network characteristics, we mark the traffic as invalid. From there, we can automatically block further clicks from the same source and feed exclusion data back into platforms like Google Ads, Meta Ads and Microsoft Ads.

The benefit for advertisers is twofold. First, you stop paying for fake clicks and interactions, directly reducing wasted spend. Second, you clean your analytics and bidding signals so decisions are based on real users, not automated traffic hiding behind compromised WordPress sites.

For performance marketers who want to validate the quality of their current campaigns, you can start a free trial of ClickPatrol or speak with our team to review suspicious traffic segments and assess how much of your budget is exposed to operations like this.

Practical steps for advertisers and agencies

Based on what we see in this hijacking campaign and similar operations, advertisers should combine platform hygiene, site monitoring and independent fraud protection. Practical steps include:

• Review placement reports regularly and exclude low-quality or suspicious sites, especially those with sudden spikes in volume.
• Coordinate with clients or internal web teams to keep WordPress installations updated, removing unused plugins and patching known vulnerabilities.
• Segment campaigns so you can compare performance and traffic quality between different inventory types or exchanges instead of bundling everything together.
• Compare platform-reported clicks with server-side or analytics events to identify large discrepancies.
• Use a dedicated click fraud protection tool like ClickPatrol to monitor every click in real time and automatically block repeated or non-human interactions.

Fraud operations exploiting WordPress are not going away. Their ability to harness large numbers of legitimate domains means they can keep contaminating ad inventory even as individual sites are cleaned up.

For PPC teams, the response has to be equally continuous: keep traffic quality under active review, treat performance anomalies with suspicion and rely on independent verification rather than trusting headline metrics alone.

Abisola

Meet Abisola! As the content manager at ClickPatrol, she’s the go-to expert on all things fake traffic. From bot clicks to ad fraud, Abisola knows how to spot, stop, and educate others about the sneaky tactics that inflate numbers but don’t bring real results.

View all posts by Abisola (Abisola)

Related Articles

Meta Cracks Down On Malware And Crypto Scams In Ads: What It Means For PPC Safety

Ad Fraud Detection Tools Market Accelerates As Digital Advertising Risks Climb

How PPC Advertisers Can Kill Click Fraud for Good by 2026