Website security vulnerabilities are not just a problem for large companies. Small business sites and agency client sites get compromised regularly — often through outdated plugins, injected content, or compromised third-party scripts.

This guide covers the most common website security issues and how to detect them.

Injected malicious links

One of the most common signs of a compromised WordPress site is injected links — hidden anchor tags added to the page content that link to malicious or spam sites. These links are often invisible to casual visitors (hidden via CSS or positioned off-screen) but crawlable by search engines.

Scan your site for links to domains you do not recognize. Pay particular attention to links using suspicious TLDs like .tk, .ml, .ga, .cf, or .xyz, which are commonly used in phishing campaigns.

Hidden iframes

Hidden iframes are a classic malware delivery technique. An attacker injects an iframe with zero dimensions or display:none that loads malicious content from a remote server. Visitors do not see it, but their browsers execute it.

Audit your pages for any iframes loading content from external domains you do not recognize. Legitimate iframes from YouTube, Google Maps, Stripe, or Calendly are expected — iframes from unknown domains are a red flag.

Deceptive anchor text

Anchor text deception occurs when the visible text of a link says one thing but the href points somewhere else. For example, a link that displays "PayPal" but links to an unknown domain is a phishing signal.

This pattern appears in both compromised sites (injected by attackers) and in spam content submissions. Scan for any link where the anchor text mentions a well-known brand but the destination domain does not match.

Google Safe Browsing

Google maintains a constantly-updated database of URLs flagged as phishing, malware, or unwanted software. You can check any URL against this database via the Safe Browsing API.

If your site or any page you link to appears in the Safe Browsing database, visitors using Chrome will see a warning before the page loads. This dramatically reduces traffic and damages trust.

Redirect chains

Long redirect chains — where a URL redirects to a URL that redirects to another URL — are sometimes used to obscure the final destination of a link. A link that appears to go to a legitimate site may end up at a malicious one after several hops.

Audit outbound links for redirect chains longer than two hops, especially chains that end on a different domain than they started.

Running security scans automatically

Lintry runs security checks automatically on every scan — hidden iframes, suspicious TLDs, deceptive anchor text, and static malicious patterns. The deep scan feature adds Google Safe Browsing checks and full redirect chain analysis for all outbound links.