Is Malware Making Your Website Slow? How to Tell for Sure
By Glenn Lyvers · Updated · 5 min read
Yes, malware is one of the most common reasons a website gets slow overnight. Cryptominers eat your CPU, spam-mailer scripts churn out email in the background, and botnets hammer your login page hard enough to exhaust a small server. If your site got slow suddenly, with no redesign, no traffic spike, and no new plugin to blame, an infection belongs on the suspect list. And it is cheap to rule out.
I get a steady stream of these cases, usually opening with the words my host sent me a CPU warning. About half turn out to be infections. The other half are ordinary growing pains wearing a scary costume. Here is how I tell the halves apart, using nothing you cannot check yourself in an afternoon.
Sudden slow is different from gradual slow
Gradual slowness is almost always ordinary: an image library nobody optimized, plugin bloat, a database that has never been cleaned, hosting that was fine three years ago. It creeps in over months.
Overnight slowness means something changed. Maybe an update went wrong, maybe your host is having a bad week, or maybe something is now running on your server that was not running last Tuesday. Before you touch a single setting, ask the timing question: when exactly did this start, and what happened that day? The calendar is diagnostic evidence, and it is free.
What malware actually does with your server
Different infections steal different resources, but they all present as slow.
Cryptominers are the bluntest. Someone parks mining code on your server and your CPU pins at 100 percent doing math for a stranger's wallet. Pages crawl, the host complains, and the graphs show flat-topped CPU plateaus at hours when nobody visits your site.
Spam mailers are quieter. An uploaded PHP script pumps out thousands of messages, your mail queue swells, and CPU spikes at odd hours. You find out when your own invoices start landing in spam folders, because by then your server's reputation is shot. If that sounds familiar, check your domain against the mail blacklists now rather than later.
Spam page generators bloat you from the inside. The infection creates thousands of junk pages, stuffs the database, and then search engine crawlers arrive to fetch 40,000 URLs you never wrote. Your database groans under content you cannot even see, and the crawl traffic alone can flatten shared hosting.
The bot traffic that is not even about you
Some of the load is not an infection at all. Every WordPress site on the internet gets visited by bots trying passwords against wp-login.php and xmlrpc.php, around the clock, whether the site is hacked or not. Your site is simply one line on a very long list.
On a healthy server this is background noise. On a small hosting plan, a determined brute-force run can consume enough resources to slow real visitors down. The fix is different from a malware cleanup: rate-limit the login page, block or restrict xmlrpc.php if nothing you use needs it, and let a firewall drop the junk before PHP wakes up to answer it.
How to check for yourself
You do not need to be technical to gather the first round of evidence. Look for these, in roughly this order:
- Your hosting control panel's resource graphs. CPU or process counts spiking at 3 a.m. when your visitors are asleep is a classic infection signature.
- The access logs. Long runs of
POST /xmlrpc.phporPOST /wp-login.phpfrom many different IPs mean brute-force traffic. Repeated requests to a PHP file insidewp-content/uploadsare worse news, because nothing legitimate runs code from the uploads folder. - A search for
site:yourdomain.comon Google. Pages you never wrote, especially in another language or about pharmaceuticals, mean a spam-page infection. - The mail queue, if your host shows it. Thousands of pending messages you did not send settles the question immediately.
Then run my free site check, which looks for the visible-from-outside signs. Ten minutes of looking usually tells you which kind of problem you have.
Or is it just your hosting?
Fairness requires the boring possibility: sometimes the server is slow because the server is slow. On shared hosting you have neighbors, and if one of them is infected or suddenly popular, everyone on the box feels it. The tell is that your own resource graphs look calm while the site still crawls. Your CPU is idle, your process count is normal, and pages still take eight seconds.
That pattern points at the host, not at you. Open a ticket and ask directly whether the server is under load from another account. Hosts will usually say so, and sometimes they will move you. Just do not stop at that answer if your own graphs are the ones spiking, because then the noisy neighbor is you.
Why a caching plugin will not fix it
When a site slows down, the reflex is to install an optimizer. If the cause is malware, caching just hides the symptom from your visitors while the server keeps burning underneath. The miner still mines. The mailer still mails, and your domain reputation keeps sinking while the homepage loads fast. Optimizing an infected site is painting over damp: the wall looks fine right up until it does not.
Speed work is real and worthwhile, but it comes after the infection question is answered, never instead of it.
The same logic applies to upgrading your hosting plan. Moving an infected site to a bigger server buys the miner more CPU to spend. I have watched owners double their hosting bill to feed an infection, twice, before anyone thought to ask what the server was actually busy doing. The upgrade felt like progress. The graphs said otherwise, and the money never came back.
If it turns out to be malware
Then it needs an actual cleanup: find the entry point, remove every planted file, clean the database, rotate the credentials, patch the hole. The slowness disappears as a side effect of the infection disappearing, which is the only order that works. My malware removal service covers the whole sequence, and my guide to hack detection indicators goes deeper on the technical evidence if you want to keep investigating first.
And if you would rather skip the archaeology and just have it handled, hand it to me. Slow sites that turn out to be infected sites are a normal Tuesday here, and the fix is a flat price, not a mystery invoice.
Common questions
Can malware really slow down a website?
Yes, and it is one of the most common causes of sudden slowness. Cryptominers consume CPU, spam-mailer scripts run constantly in the background, and spam-page infections bloat the database while drawing heavy crawler traffic. The site slows down because the server is busy doing the attacker's work instead of serving your visitors.
Why is my WordPress site suddenly slow?
Sudden is the useful word. Gradual slowness is usually bloat or aging hosting, while overnight slowness means something changed: a bad update, a hosting problem, or code that was not running before. Check when it started, look at your host's resource graphs, and rule out infection before spending money on optimization.
What is xmlrpc.php and why is it being attacked?
It is an old WordPress remote-access endpoint that predates the modern API, and attackers like it because it allows many login guesses in few requests. Most sites no longer need it. If nothing you use depends on it, blocking or restricting xmlrpc.php removes a favorite brute-force target at no cost.
How do I know if my server is mining cryptocurrency?
The signature is CPU sitting at or near 100 percent at hours with no visitor traffic, usually visible as flat plateaus in your hosting control panel graphs. Hosts often notice first and send resource warnings. Unfamiliar processes and PHP files you cannot account for complete the picture, and a cleanup confirms it.
Will a caching plugin fix a slow hacked site?
No. Caching hides the slowness from visitors while the malware keeps running underneath, so the CPU drain, the spam sending, and the reputation damage all continue. Any speed fix applied to an infected site is temporary by definition. Remove the infection first, then optimize what is left, in that order.