If your website is suddenly showing strange adverts or new ad code has appeared without your say-so, you may be dealing with ad-jacking. In this campaign, attackers inject Google AdSense scripts and quietly tweak settings so they can monetise your traffic — and sometimes even steal your own ad revenue. Here’s what’s going on, why it matters for your business, and the practical steps to fix it.

What’s going on

Cybercriminals are abusing trusted Google services to slip ads onto WordPress sites. We’ve seen injected AdSense publisher IDs and code that forces ads to load, even after a clean-up. In some cases, the ads.txt file is rewritten to keep the attacker’s ad network “authorised”. Attackers have also used click-triggered scripts that open dubious pages on the first visitor click.

This follows a wider trend of criminals hijacking legitimate platforms, such as previous cases using Google Tag Manager for skimming. It’s a reminder that “familiar” doesn’t always mean “safe”.

Why this matters to your organisation

• Lost revenue: injected AdSense IDs divert income away from you.
• Damaged trust & conversions: intrusive or irrelevant ads frustrate customers and increase bounce rates.
• SEO risk: search engines can penalise sites serving low-quality or malicious content.
• Wider compromise: injected code can be a foothold for further malware or data theft.

How to spot the problem

• Unexpected banner or in-content ads that don’t match your usual placements.
• New or altered ads.txt entries you didn’t approve.
• Unknown AdSense publisher IDs (e.g. unfamiliar ca-pub-XXXXXXXXXXXXX values) in your theme, plugins or database.
• Strange behaviour on first click (e.g. a new tab opening to an unfamiliar domain).
• Security scans flagging malicious or blocklisted domains linked to ads.

Where the malware hides

The campaign uses multiple hiding places to survive partial clean-ups:

• Theme files — especially functions.php, sometimes used to recreate a “cleaned” ads.txt with the attacker’s details.
• Must-use (mu-plugins) and regular plugin directories — quietly loading ad scripts on every request.
• Database — injected AdSense snippets stored in wp_options (for example via header/footer injector options) so ads return even if files are replaced.

How it typically gets in

• Compromised admin accounts through weak or reused passwords and missing two-factor authentication.
• Outdated or vulnerable plugins/themes that expose security holes.
• Over-permissive file permissions allowing unauthorised edits.

Immediate actions to take

1. Scan your site using a reputable scanner (e.g. Sucuri SiteCheck) to identify malware and blocklisted domains.
2. Remove malicious code from:
   • header.php and functions.php in your active theme;
   • mu-plugins and other plugin folders;
   • wp_options (search for unfamiliar header/footer injections and unknown AdSense IDs).
3. Restore a clean ads.txt and lock it down so it can’t be silently overwritten.
4. Update WordPress core, plugins and themes to the latest secure versions.
5. Rotate all passwords (WordPress admins, hosting, SFTP/SSH, database) and enable 2FA.
6. Harden file permissions to prevent unauthorised changes.
7. Enable a Web Application Firewall (WAF) to block malicious requests before they reach WordPress.

Prevention and ongoing protection

• Managed updates & maintenance: keep your stack current to close known holes quickly.
• Security monitoring: continuous scans and integrity checks to catch changes early.
• Principle of least privilege: restrict admin access and use separate accounts.
• Backups & recovery drills: frequent, off-site backups with tested restores to reduce downtime.
• WAF rules & geo/rate controls: tighten traffic from high-risk sources and throttle suspicious activity.

Plain-English recap

Ad-jacking is about criminals turning your website into their billboard. They add or replace AdSense code, sometimes rewrite ads.txt, and hide the changes across files and the database to keep the money flowing. The fix is straightforward but detailed: find and remove the injections, patch software, harden access, and put a protective layer in front of your site.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

Let’s protect your traffic, revenue and reputation. Email [email protected] or call 01952 883 526.

Based on research by Sucuri. Read the original analysis on the Sucuri blog: Ad-Jacked: Cybercriminals Inject Google AdSense into WordPress.
:contentReference[oaicite:7]{index=7}