Traffic spikes can come from bots or tracking errors, yet repeated login hits, strange POST requests, and new admin changes can signal a real security problem.
You open your dashboard and the graph shoots up. Sessions jump, bounce rate swings, conversions dip, and your site feels slower. It’s normal to wonder if someone got in.
Unusual traffic is a symptom, not a verdict. A crawler can look scary. A broken tag can fake a surge. A promo link can bring a real wave. A breach is possible too, so the job is to sort the cause fast, then act with proof.
What Counts As Unusual Traffic
“Unusual” means it breaks your baseline: the who, where, and how of visits shifts in a way you don’t see on normal days. Look for patterns across two places, not one screenshot.
Signals You Can Spot In Analytics
- One page pulling a huge share of visits, often login, search, or checkout
- Sessions from a new country or a single city that never shows up
- Odd device mix, like near-all desktop on a mobile-heavy site
- Referrers that look like spam domains, shorteners, or empty “direct” floods
- Perfectly timed bursts each minute
Signals You Can Spot In Logs And Dashboards
- 401/403 spikes on login routes
- 404 floods on weird paths like
/.env,/.git, or random plugin files - Many POST requests to forms, APIs, or password reset endpoints
- Cache misses rising while origin CPU and database load climb
- Outbound email bursts or unknown outbound connections from the host
Fast Checks That Rule Out False Alarms
Run these before you assume the worst. They catch the common “it looks hacked” moments.
Compare Analytics To Raw Requests
Pick the spike window and compare analytics sessions to server requests. If analytics jumps and logs do not, the issue often sits in tracking: duplicate tags, a looping script, or a reporting delay.
Scan Recent Changes
List changes from the last three days: plugin updates, theme edits, DNS changes, CDN rule edits, new campaigns, new endpoints. A lot of “mystery traffic” starts with one deployment.
Check Error Rate And Resource Load
If 5xx errors climb, latency grows, or the database heats up, treat it as a live incident. If errors stay flat and origin load is steady, the surge may be cached bot hits or measurement noise.
Does Unusual Traffic Mean Hacked? A Simple Triage Flow
This flow keeps you from guessing. You’re trying to answer two questions: is the traffic real, and is it trying to change anything?
- Is it hitting your origin? Check CDN/WAF dashboards and origin logs. A big edge spike with low origin load often points to bots scraping public pages.
- Is it touching sensitive routes? Login, admin, checkout, password reset, search, and APIs.
- Is it failing auth? Lots of 401/403 with repeating usernames and tight timing points to credential stuffing.
- Is it changing state? POST requests, file uploads, new users, settings edits, new scheduled tasks. That’s where breaches show up.
When Unusual Traffic Can Signal A Hack Attempt
A hack attempt is often a probe. Attackers scan for weak plugins, guess passwords, and try known paths. These patterns raise the risk level:
Login Pressure And Credential Stuffing
Look for a surge of login requests with rotating IPs and repeated usernames. Attackers reuse leaked credentials and spray them across sites. Even without a successful login, the traffic can drive load and lock users out.
Probe Scans For Known Files And Folders
Request bursts to common files are a classic scan. You may see hits to WordPress endpoints like /wp-login.php and /xmlrpc.php, or generic probes like /.env and /admin. The goal is to find one weak spot.
Suspicious POST Requests
High POST rates to forms or APIs can be spam, injection probes, or brute force on endpoints that write to the database. If you run a WAF, review which rules fired and on which routes.
Clear Warnings From Search Or Browsers
If browsers show malware warnings or Google surfaces a security warning for your site, treat it as a top-priority cleanup. Google’s own response order is practical: isolate, remove injected content, close the entry point, then request review. Google’s hacked site cleanup steps cover that sequence.
Table: Traffic Spike Patterns And The First Check To Run
Use this table to map what you see to the check that narrows it down.
| Pattern You See | Often Points To | First Check |
|---|---|---|
| Sessions jump, logs stay normal | Tracking duplication or reporting delay | Compare analytics to access logs for the same window |
| Spike in GET requests, flat CPU, high cache hits | Public-page bots or crawlers | Edge logs: top user agents and cache hit ratio |
| Bursts each minute on the dot | Scripted bot runs | Top IPs/ASNs and identical request paths |
| 401/403 surge on login routes | Credential stuffing | Attempt cadence, top usernames, IP rotation |
| 404 floods on strange paths | Vulnerability scanning | Requested path list and user agents |
| High POST rate to forms or APIs | Spam, abuse, injection probes | WAF events and rate-limit counters by route |
| Origin load spikes with many cache misses | Scraping that bypasses cache | Query strings, headers, and bypass rules |
| Ad clicks jump, conversions don’t | Invalid click traffic | Geo/IP clusters and referrer quality |
| One ASN dominates traffic | Botnet or proxy network | ASN breakdown and block test at the edge |
| Outbound email spikes from the host | Spam relay after compromise | Mail logs, new CMS admins, changed files |
How To Prove Bots Vs People Vs A Breach
Now gather proof with a tight, repeatable routine. Pick a time slice during the spike and pull the raw data that answers who, what, and where.
Pull A 30–60 Minute Window
Export access logs for that window. If you use a CDN, export edge logs too. Aim to include timestamp, method, path, status, bytes, referrer, user agent, and client IP.
Group By Path, Then By Status
List the top requested paths and top status codes. Human surges spread across many pages. Bot surges often fixate on one or two routes.
Check Cookies And Session Markers
If your logs capture cookies or session IDs, look for reuse. Many bots skip cookies and hammer endpoints with fresh requests.
Map IPs To ASN And Country
A single data center ASN flooding you can be blocked fast. A broad spread of residential IPs calls for rate limits and bot filtering.
Bot Traffic Isn’t Always Bad
Search crawlers and uptime checks are normal. The goal is to control abusive automation without blocking the good stuff. Cloudflare’s plain-language explainer on bot traffic is a useful reference for that split.
Containment Steps That Limit Damage
If you’re unsure, act like you might be under attack while you keep collecting facts. These steps are low-risk and often stop the bleeding.
Rate-Limit Hot Routes
Throttle login, password reset, search, and any endpoint that triggers heavy database work. Start gentle, then tighten if abuse continues.
Block Repeat Offenders At The Edge
If a small set of IPs or one ASN drives the spike, block it at the CDN/WAF. If traffic rotates across IPs, block by behavior: request rate, missing headers, bad paths.
Lock Down Admin Access
Reset admin passwords, enforce strong passphrases, and turn on MFA. Disable unused accounts. Tighten file permissions.
Deep Checks When A Breach Looks Plausible
If you see new admin users, file changes, unknown scheduled tasks, or odd outbound traffic, switch to incident mode and hunt for proof of access.
Review Admin Users And Audit Logs
Check the admin user list for new accounts, role changes, and logins from odd locations. If your CMS has an audit log, export it before you make big edits.
Search For New Or Modified Files
On WordPress, review new PHP files in wp-content, odd files in uploads, and changes to wp-config.php. On other stacks, look for new web shells, changed startup scripts, and new cron entries.
Validate Core Files Against Clean Copies
Compare core CMS files to a fresh vendor release. Unexpected diffs in core files often point to tampering.
Check Scheduled Tasks And Background Jobs
Scan cron, task schedulers, queue workers, and serverless jobs for anything you did not set up. Persistence often hides there.
Review Outbound Connections
List active outbound connections and compare them to what your app needs. Unknown destinations can signal data theft or spam sending.
Table: Response Actions Based On What You Find
This table turns evidence into the next step you can take right away.
| What You Found | Do This Next | Write Down |
|---|---|---|
| Analytics-only spike, logs normal | Audit tags and recent front-end changes | Tag versions, publish times, before/after screenshots |
| Public-page bot surge, low origin load | Allow known crawlers, rate-limit unknown bots | User agents, top paths, edge rules applied |
| Credential stuffing pressure | Enable MFA, add rate limits, block repeat offenders | Top usernames, IP/ASN list, lockout events |
| Scan traffic for known vulnerable paths | Patch plugins, remove unused components, block probes | Requested paths, patch list, WAF alerts |
| Spam form abuse | Add bot checks, tighten validation, throttle POST | Payload samples, affected forms, error logs |
| Clear compromise signs (new admin, file edits) | Isolate site, rotate secrets, restore from a clean backup | Timeline, changed files, access logs, hashes |
| Outbound traffic that makes no sense | Block egress, scan host, rebuild if needed | Destinations, processes, firewall logs |
Aftercare That Cuts Repeat Spikes
Once the spike settles, do the work that lowers your odds of seeing it again.
Patch And Prune
Update the CMS, themes, plugins, and server packages. Remove plugins you don’t use. Delete old staging installs that still sit on the same host.
Harden Accounts And Secrets
Use MFA on admin accounts. Rotate passwords for admins, database users, and API credentials after any suspected breach. Limit who can install plugins or deploy code.
Set A Simple Baseline And Alerts
Track normal sessions, top countries, top paths, and error rate. Set alerts on sharp changes in 5xx errors, login failures, and traffic from new regions.
Keep Backups You Can Restore
Store backups off the server and test restores on a separate test site. A backup that can’t restore won’t save you during a real incident.
References & Sources
- Google Search Central.“My site’s been hacked – now what?”Order of operations for cleaning a hacked site and closing the entry point.
- Cloudflare Learning Center.“What is bot traffic? | How to stop bot traffic”Definitions of bot traffic and why some automation is benign while abusive bots cause harm.