There have been an increasing number of cases of malicious JAVASCRIPT being embedded in all WordPress posts. Here is how to deal with this malware.

A case in which a malicious JAVASCRIPT is embedded in a WordPress post, causing malicious behavior such as jumping to other sites when the site is accessed.

JAVASCRIPT is a scripting language that runs on the browser and performs various functions on the site, such as dynamically rewriting pages, communicating behind the scenes, and animating the layout.

Because JAVASCRIPT runs on the browser, even if an illegal JAVASCRIPT is embedded in a site, it cannot directly rewrite files on the server or install any files directly on the user’s computer, but it can lead the user to dangerous websites or create SEO links to other sites. However, it can lead the user to dangerous websites, or to the insertion of SEO links to other sites without permission.

*Servers can also cause serious damage such as users installing malicious software on other sites, or being blacklisted by search engines as having malicious content, which can result in the site not appearing in search results.

Example of malicious JAVASCRIPT being embedded in all posts on a site

If a hacker takes advantage of a vulnerability in a WordPress site, such as a weak plugin or user password, to gain administrative privileges on the site, in many cases the database can be rewritten as well.

Hackers use programs that rewrite the data of the site’s database submissions in one fell swoop, sometimes writing malformed JAVASCRIPT to thousands of submissions.

The malformed JAVASCRIPT is often written at the bottom of the submission data, obfuscated as shown in the figure above.

Reference
What is the obfuscation process used in over 90% of WordPress malware?

What to do when malformed JAVASCRIPT is embedded in a post

When malicious JavaScript is embedded in a post, it is often discovered when PC virus detection software blocks access to the site, search results indicate that malware has been detected, or site users complain that they were redirected to another site or forced to download malicious software. In many cases, this is discovered when users of the site complain that they were sent to a different site or forced to download malicious software.

Detection of malicious JS

Such malicious JS embedding in posts can sometimes be detected by online services such as the following. Try checking for viruses in posts and top page URLs on such sites.

Sucuri Site Check

Online Malware Scanner

For more powerful detection of malware from the inside, you can also use our Malware Detection Plug-in.
Free WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].

What if thousands of posts have malicious JAVASCRIPT embedded in them?

If several thousand posts have malicious JAVASCRIPT embedded in them, it is difficult to remove them one by one by hand.
In this case, we recommend the following methods.

Roll back to the database before the contamination.

Directly execute SQL statements (database processing instructions) that comprehensively disable illegal JAVASCRIPT strings in the database.
*This method is not recommended because it may corrupt site data depending on the data format.

Use a batch database rewriting plug-in such as Search Regex.

Use a database replacement program such as Search Replace DB

In addition, if a malicious JavaScript is embedded in a post, it means that a hacker already has unauthorized access to the server to rewrite the database, so it is also necessary to close backdoors, which are malware and vulnerabilities that allow hackers to enter the database.

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.