What are the most common attacks that web hosting environments are suffering from?

It’s a hard-scrabble world out there between malware, DDoS attacks, SQL injections, and more.

Web hosting environments have an unenviable task. They’re expected to maintain incredible levels of uptime for their customers and clients, while also having to exist in the same uncertain and sometimes downright hostile world all of us operate in.

From mass-injected malware to record-shattering denial-of-service floods, the attacks hammering web-hosting platforms have never been more varied – or more automated. But the same data that highlights the scale of the threat also shows those providers are working double-time to protect client data.

Malware

Website malware rarely makes headlines, but it remains an attacker’s workhorse. Sucuri’s latest annual clean-up log shows 95.5% of all infections in 2023 hit WordPress sites, and nearly half of compromised sites carried at least one backdoor to guarantee re-entry.

The problem is that site hosts are leaving those doors wide open: 39% of victims were running out-of-date CMS code by the time they were hacked, showing patching is still an important basic control to ward off attacks.

Hosts are fighting back with server-side scanners, daily file-integrity checks and “virtual patching” WAF rules that block exploits even when customers postpone updates.

GoDaddy and other large providers are now offering malware scanning as an always-on service. Some smaller cPanel hosts increasingly bundle open-source tools such as ClamAV and Maldet into what they offer.

But given its central role in the ecosystem, many providers are moving WordPress customers to containerised or read-only file systems so that a successful write by an attacker is treated as a one-off.

DDoS

Cloudflare’s Q1 2025 data recorded 20.5 million separate DDoS events – a 358% year-on-year surge – and blocked a single burst that hit 6.5 terabits per second and 4.8 billion packets per second, the fastest packet flood ever disclosed.

Here, the big shift is towards capacity and automation. Providers such as Cloudflare, Akamai and AWS deploy shields that soak up abnormal traffic, while machine-learning classifiers cut off attacks in under three seconds.

But here there’s a split in capabilities between the biggest providers and mid-tier hosts, who, unable to build that infrastructure, increasingly tunnel traffic through upstream scrubbing centres via BGP.

SQL injections

Imperva’s threat research puts SQL injection behind half of all database breaches it analysed, confirming that the longstanding trick is still the most lucrative path to sensitive records for many hackers. MITRE’s CWE Top 25 list agrees, placing SQL injection attacks third in its list of threats, beaten only by XSS and buffer overflows.

The fact that this issue has persisted for such a long time suggests it’s difficult to tackle. Defenders are leaning hard on layered controls.

Parameterised queries and ORM frameworks strip user input of query power inside modern stacks, while upstream, managed WAFs such as Imperva’s Cloud WAF or AWS WAF apply behavioural signatures that recognise automated SQL-Map payloads in real time.

Runtime application self-protection (RASP) systems are gaining ground too, instrumenting the database driver itself to stop rogue queries that slip past the perimeter.

Cross-site scripting (XSS)

Cross-site scripting – officially CWE-79 – tops the 2024 CWE list, showing the continued vulnerability of JavaScript. Hosts see XSS primarily through mass-scanned comment forms and outdated third-party widgets.

Mitigations against it are moving server-side: many managed platforms now default to Content-Security-Policy headers that restrict where scripts can load, while real-time DOM sanitisation libraries bake in escape routines.

Brute force attacks

Web credentials are traded all the time, so attackers often skip exploits and go straight for the login page. Imperva recently recorded a seven-million-request account-takeover (ATO) storm against an American retail site, spread across 200,000 IP addresses, trying stolen usernames and passwords.

Tackling these is simpler: rate-limiting, progressive CAPTCHAs, bot-signature detection and WebAuthn or passkey log-ins that remove passwords from the equation entirely are all tools in the defensive arsenal.

And things are evolving: where MFA was once an optional upsell, providers tried to squeeze it out of consumers, many control panels now force it at account creation.