Title: Cryptocurrency Mining Malware Last modified: December 6, 2018 --- # Cryptocurrency Mining Malware * Resolved [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/) * My hosting company has advised that i have links on my site to a malicious site( coinwave) more research would appear that it is linked with the subject. * I have had All in One security plugin installed since the start of the installation, and i want to know how to use this plugin to remove the malicious code. * It is not in my interests to give you the true link of the site involved, but i would appreciate any help please. * Thank You John W Viewing 14 replies - 1 through 14 (of 14 total) * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9847388) * Sorry the site is NOT coinwave, but coinhive * Apologies. * John W * [glfoster](https://wordpress.org/support/users/glfoster/) * (@glfoster) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9847449) * I not 100% sure of what Coinhive is but from my very quick research, it sounds like a mining script. * From what you’ve written, I don’t believe you have malicious code on your website, just a link to coinhive * I would search your entire website for the link to Coinhive and delete it * [glfoster](https://wordpress.org/support/users/glfoster/) * (@glfoster) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9847466) * Can you provide a link to your website * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9847476) * I am having difficulty searching the site, can you advise best way please? * if the site has malware then spreading the site link around via this post is not something i really want to do at this stage. * thx * John W * [glfoster](https://wordpress.org/support/users/glfoster/) * (@glfoster) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9847584) * I understand your concern about adding a link. I’m fully protected when it comes to this. Just make use to leave a space between your url and the tlds. * You can use plugins to see if it’s in the database, such as ‘Better Search Replace’ * They are plugins to scan your website for malicious code too. You can also contact your web hosting to see which page the malicious code is coming from * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9847811) * The link is glandore(nospace)village .ie * I have tried plugin to locate any code that maybe linked to this event and Nothing…..] * Am waiting back from Hosting Company to find out a little more from them. * thx * John W * [glfoster](https://wordpress.org/support/users/glfoster/) * (@glfoster) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9848278) * Try using some of these. – [https://geekflare.com/online-scan-website-security-vulnerabilities/#1-Scan-My-Server](https://geekflare.com/online-scan-website-security-vulnerabilities/#1-Scan-My-Server) * I’ve used Sucuri and all is says is your firewall isn’t the strongest. I’m going to look now for you * Gareth * [glfoster](https://wordpress.org/support/users/glfoster/) * (@glfoster) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9848300) * I’ve viewed your source code and it’s located in the being loaded as a script. Search on google how to view the source code in your preferred browser. * It’s either hardcoded into your theme head.php, being added through your function. php in your theme or a plugin is adding the script. * It should be easy to find, but you’ll have to look through your files. If you have a local version of your website, it should be easy to find through a search folder function in your code editor. * Good Luck, * Gareth * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9849462) * Gareth, * Firstly, Thanks You for taking an interest in my issue, and doing all that work. * The issue was caused by a plugin for a Weather widget called Weather for us. Which i had on every page. Based on your response, i remembered that one fo the tools i had used in the past was GTmetrix, to analyse the sites performance, but one of the things it does is list all the accesses both ways to and from the web server hosting the wordpress site. I found the associated request for the malicious URL within the GTmetrix “waterfall” page were it clearly showed the request and how long the process was taking, also slowing down he site… and as the weather widget was on every page it was not difficult to prove that this was in fact the cause of the Malicious code. * Once i removed the Widget from the pages the request to the URL stopped. I will check with my Hosting company, but i am confident it is sorted. thanks for your help. * John W * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9849477) * Hello, * Further to my last response if you want to read some pretty negative press about this developer read the following:- * [https://wordpress.org/plugins/weather-for-us-widget/#reviews](https://wordpress.org/plugins/weather-for-us-widget/#reviews) * When i downloaded this plugin these comments were not available…. * Anyway. progress one more bad guy identified. * John W * Plugin Contributor [mbrsolution](https://wordpress.org/support/users/mbrsolution/) * (@mbrsolution) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9849531) * Hi [@ejwjohn](https://wordpress.org/support/users/ejwjohn/), I am glad to hear that you have finally found the issue. * It can be challenging to find out if a developer is honest or not when it comes to coding. However I have a rule that I always follow when I test a new plugin. And of course I always use my testing sites locally to test new plugins and themes. * > 1. Functionality as per description. > 2. Support provided in the forum. 3. > The number of downloads. 4. The number of positive reviews. 5. Is the plugin > up to date with the latest WordPress version. * However even with the above list, you can still install a plugin that has malware or other malicious code added. But the good news is that WordPRess team are very fast at responding and blocking or closing down any plugin or theme that adds malicious code. * I just thought of replying just to let you know that I was monitoring this thread. * Enjoy the plugin. * Kind regards * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 5 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-9850092) * Thank You. * I continue to learn…… i am still relatively new to the WordPress environment, and it is good to know that the support is there and people are generous with their time. * However, from my perspective, i need to reassess how i deploy and test sites, with proven reliable plugins. * Thanks * John W * [ACLinkup](https://wordpress.org/support/users/aclinkup/) * (@aclinkup) * [8 years, 3 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-10038261) * I’m having the same issue, coinhive showing up in gtmetrix waterfall. * However SUCURI isn’t showing anything for my page as malicious, and I’ve inspected the sourcecode but don’t see it being loaded from there * warning: mature themes (no nudity though) [http://dailysupreme](http://dailysupreme). com/s/E70/MSK-A2ist02-A18e4to4ia5/LTesting.php * Thread Starter [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * (@ejwjohn) * [8 years, 3 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-10038273) * Hello, * In my case there was no malicious code embedded into the site, the code is loaded as a result of an embedded link generated from within the weather widget. Which then loads the Coinhive code into the pc/mac of the user, which proceeds to “ steal” spare hardware processor capacity to perform its deeds….. end effect your pc/mac slows down without you knowing…. * Well this is what i believe…. * John W Viewing 14 replies - 1 through 14 (of 14 total) The topic ‘Cryptocurrency Mining Malware’ is closed to new replies. * ![](https://ps.w.org/all-in-one-wp-security-and-firewall/assets/icon-256x256. png?rev=2798307) * [All-In-One Security (AIOS) – Security and Firewall](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/) * [Active Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/reviews/) * 13 replies * 4 participants * Last reply from: [ejwjohn](https://wordpress.org/support/users/ejwjohn/) * Last activity: [8 years, 3 months ago](https://wordpress.org/support/topic/cryptocurrency-mining-malware/#post-10038273) * Status: resolved