WordPress Security

Securing WordPress for Affiliate Marketing: Protecting Links and Revenue

Protect your WordPress affiliate marketing site from link hijacking, click fraud, and security threats that can steal your commissions.

Sarah Chen

September 24, 2025

9 min read

2,148 views

Protecting WordPress affiliate marketing sites from link hijacking

Affiliate marketing websites face unique security challenges including link hijacking, click fraud, and cookie stuffing. Protecting your affiliate links and commissions requires specific security measures.

Affiliate Site Threats

Common threats to affiliate sites:

Link hijacking through browser extensions
Affiliate link replacement attacks
Cookie stuffing by competitors
Click fraud inflating statistics
Content scraping with replaced links

Revenue Protection

These attacks directly impact income:

Stolen commissions from replaced links
Account bans from fraudulent activity
Lost SEO from scraped content
Damaged relationships with merchants

Protecting Affiliate Links

Use server-side link cloaking:

function create_affiliate_redirect($slug, $destination_url, $affiliate_id) {
    global $wpdb;

    // Store in database, not in visible URLs
    $wpdb->insert('affiliate_links', array(
        'slug' => sanitize_title($slug),
        'destination' => esc_url_raw($destination_url),
        'affiliate_id' => intval($affiliate_id),
        'created_at' => current_time('mysql'),
    ));

    return home_url('/go/' . $slug);
}

// Handle redirects
add_action('template_redirect', function() {
    if (preg_match('/^\/go\/([a-z0-9-]+)\/?$/i', $_SERVER['REQUEST_URI'], $matches)) {
        global $wpdb;

        $slug = sanitize_title($matches[1]);
        $link = $wpdb->get_row($wpdb->prepare(
            "SELECT * FROM affiliate_links WHERE slug = %s",
            $slug
        ));

        if ($link) {
            // Log click
            log_affiliate_click($link->id, $_SERVER['REMOTE_ADDR']);

            // Redirect with nofollow
            header('X-Robots-Tag: noindex, nofollow');
            wp_redirect($link->destination, 307);
            exit;
        }
    }
});

Click Fraud Detection

Monitor for suspicious click patterns:

function detect_click_fraud($link_id, $ip) {
    global $wpdb;

    // Check clicks from this IP in last hour
    $recent_clicks = $wpdb->get_var($wpdb->prepare(
        "SELECT COUNT(*) FROM affiliate_clicks
         WHERE link_id = %d AND ip_address = %s
         AND clicked_at > DATE_SUB(NOW(), INTERVAL 1 HOUR)",
        $link_id, $ip
    ));

    if ($recent_clicks > 5) {
        return array(
            'fraud' => true,
            'reason' => 'Excessive clicks from same IP',
        );
    }

    // Check for click patterns (rapid sequential clicks)
    $last_click = $wpdb->get_var($wpdb->prepare(
        "SELECT clicked_at FROM affiliate_clicks
         WHERE ip_address = %s ORDER BY clicked_at DESC LIMIT 1",
        $ip
    ));

    if ($last_click && (time() - strtotime($last_click)) < 2) {
        return array(
            'fraud' => true,
            'reason' => 'Click interval too short',
        );
    }

    return array('fraud' => false);
}

Link Integrity Monitoring

Detect if links are being modified:

function verify_link_integrity() {
    global $wpdb;

    $links = $wpdb->get_results("SELECT * FROM affiliate_links");
    $alerts = array();

    foreach ($links as $link) {
        // Check if link still exists in content
        $found = $wpdb->get_var($wpdb->prepare(
            "SELECT COUNT(*) FROM {$wpdb->posts}
             WHERE post_content LIKE %s AND post_status = 'publish'",
            '%/go/' . $link->slug . '%'
        ));

        if (!$found) {
            $alerts[] = array(
                'link' => $link->slug,
                'issue' => 'Link not found in any published content',
            );
        }

        // Verify destination is still valid
        $response = wp_remote_head($link->destination);
        if (is_wp_error($response) || wp_remote_retrieve_response_code($response) >= 400) {
            $alerts[] = array(
                'link' => $link->slug,
                'issue' => 'Destination URL returns error',
            );
        }
    }

    return $alerts;
}

Content Scraping Protection

Prevent scrapers from stealing content with links:

// Disable right-click and text selection (optional)
add_action('wp_footer', function() {
    if (!is_user_logged_in()) {
        ?>
        
         100) { // 100 pages per minute
            wp_die('Rate limit exceeded');
        }

        set_transient($key, $views + 1, MINUTE_IN_SECONDS);
    }
});

// Add invisible markers to detect scraping
function add_content_markers($content) {
    $marker = '';
    return $marker . $content . $marker;
}
add_filter('the_content', 'add_content_markers');

Protecting Disclosure Pages

FTC compliance requires affiliate disclosures:

// Automatically add disclosure to affiliate content
function add_affiliate_disclosure($content) {
    if (has_tag('affiliate') || has_category('reviews')) {
        $disclosure = '
            Disclosure: This post contains affiliate links.
            We may earn a commission if you make a purchase through these links.
        ';

        return $disclosure . $content;
    }
    return $content;
}
add_filter('the_content', 'add_affiliate_disclosure');

Database Link Backup

Regular backup of affiliate link configurations:

function backup_affiliate_links() {
    global $wpdb;

    $links = $wpdb->get_results("SELECT * FROM affiliate_links", ARRAY_A);

    $backup = array(
        'exported_at' => current_time('mysql'),
        'site_url' => home_url(),
        'links' => $links,
    );

    $backup_dir = WP_CONTENT_DIR . '/affiliate-backups/';
    if (!file_exists($backup_dir)) {
        mkdir($backup_dir, 0750, true);
        file_put_contents($backup_dir . '.htaccess', 'deny from all');
    }

    $filename = 'links-backup-' . date('Y-m-d-His') . '.json';
    file_put_contents(
        $backup_dir . $filename,
        json_encode($backup, JSON_PRETTY_PRINT)
    );
}
add_action('wpfs_daily_backup', 'backup_affiliate_links');

Monitoring Commission Changes

Track affiliate program changes:

function track_commission_rates() {
    $programs = get_option('affiliate_programs', array());

    foreach ($programs as $program_id => &$program) {
        // Record historical rates
        if (!isset($program['rate_history'])) {
            $program['rate_history'] = array();
        }

        $current_rate = $program['commission_rate'];
        $last_recorded = end($program['rate_history']);

        if (!$last_recorded || $last_recorded['rate'] !== $current_rate) {
            $program['rate_history'][] = array(
                'rate' => $current_rate,
                'recorded_at' => current_time('mysql'),
            );

            // Alert if rate decreased
            if ($last_recorded && $current_rate < $last_recorded['rate']) {
                wp_mail(
                    get_option('admin_email'),
                    'Commission rate decreased',
                    sprintf('%s rate changed from %s to %s',
                        $program['name'], $last_recorded['rate'], $current_rate)
                );
            }
        }
    }

    update_option('affiliate_programs', $programs);
}

Conclusion

Affiliate site security focuses on protecting links from hijacking, detecting click fraud, preventing content scraping, and maintaining link integrity. Regular monitoring ensures your commissions are protected.

Written by Sarah Chen

WP Folder Shield Team