How to Clean the JavaScript Redirect Malware from WordPress

JavaScript redirect malware is… well special in many ways. One: The most common variant doesn’t infect the WordPress files, so you’ll go in loops installing and reinstalling WordPress to no effect. Two: Common malware scans fail miserably at scanning database. And finally, there’s no way to figure out if a redirect is genuine or malicious.

This one needs manual intervention and some… “skills”. Before you read further and try to solve this one, you’ll need to establish that this is in fact the type that I’m covering in this article. If it’s a file infection then malCure Malware Removal & Firewall should be able to scan and indicate the problem file.

Here’s now to identify a JavaScript redirect malware

If you open the web-page, it will redirect in no time. You can’t really trust browser’s built-in Developer Tools because the inspector can’t really tell what kind of redirect it is.

The idea is to inspect the source-code of the WordPress page. For that you’ll have to view the source-code without actually visiting the URL.

Type the URL in the following format into the browser’s address-bar:


And now you can inspect it line by line. Feel free to copy / reformat / beautify the code to make it more legible. Given the right tools, this will help you identify the JavaScript snippet. You are looking for anything that starts with <script> tag.

After fixing so many websites, here’s an example I remember:

<script src='' type='text/javascript'></script>

Cleaning up the JavaScript Redirect Infection

The clean up routine consists of:

  1. Finding the JavaScript snippet in the database.
  2. Replacing it (with nothing).
  3. Verifying the redirect is gone.
  4. Identifying the root-cause

Prior to replacing anything take a full backup of your website.

For searching the JavaScript snippet you can use phpMyAdmin.

For the replacement part I trust a good code editor like VS Code. Export the database as an sql file, open in VS Code, do a find and replace and save the file.

In phpMyAdmin you’ll need to drop all the tables in the infected database and import the cleaned up file. If all went well, your site will be back. Voila!

The most common cause of this infection is misuse of the “Database Search and Replace Script” or any other script that has write access to the database. These scripts must be positively removed after use and the website properly secured.

That said, you really need to look elsewhere too and see if there’s anything else leftover and / or has access to the database. And seek a hand from a professional.

Need professional help removing malware?

100% Removal Guarantee • Same Day Service • 15 Days Cover

Leave a Reply

Your email address will not be published. Required fields are marked *