Title: Nasty javascript obfuscated redirect Last modified: January 19, 2024 --- # Nasty javascript obfuscated redirect * Resolved [prokops](https://wordpress.org/support/users/prokops/) * (@prokops) * [2 years, 4 months ago](https://wordpress.org/support/topic/nasty-javascript-obfuscated-redirect/) * Hi there! * My client site had this javascript inserted via plugin WP Code Light: * [https://codeshare.io/9O7MlV](https://codeshare.io/9O7MlV) * I ran a thorough Wordfence scan when I had the suspicion that something was going on. Nothing was found so conclude that Wordfence does not catch code inserted this way via snippets. The code snippet was set to hide from logged in users. * My question is if Wordfence can catch this and under which conditions. If Wordfence free license is unable to detect this, then I need to find a solution that can. * Cheers Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [2 years, 4 months ago](https://wordpress.org/support/topic/nasty-javascript-obfuscated-redirect/#post-17362856) * Hi [@prokops](https://wordpress.org/support/users/prokops/), thanks for bringing this to our attention. * Sometimes threats or malware can be packaged in a way we haven’t seen before rather than be ignored due to the way it was included. Snippets of code or harmful URLs etc. in the database can still be seen during scans so it’s worth having this checked out by our team at **samples @ wordfence . com**. * Any other relevant information you can include in the email is helpful, but they should be able to see if anything needs to be changed at our end and advise you from there. * Many thanks, Peter. * Thread Starter [prokops](https://wordpress.org/support/users/prokops/) * (@prokops) * [2 years, 4 months ago](https://wordpress.org/support/topic/nasty-javascript-obfuscated-redirect/#post-17371817) * Hi Peter * I did some more digging and found out that Wordfence was set to: “Exclude files from scan that match these wildcard patterns (one per line): wp-includes/js/*“ * So a bad actor did exclude the js folder from scans and the infected file was placed there. * My suggestion for you team would be to include on scan result page or web health summary that: * “Warning: your wordfence scan options excludes these paths from scans: url1, url2 etc” - This reply was modified 2 years, 4 months ago by [prokops](https://wordpress.org/support/users/prokops/). Reason: Wording - This reply was modified 2 years, 4 months ago by [prokops](https://wordpress.org/support/users/prokops/). * Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/) * (@wfpeter) * [2 years, 3 months ago](https://wordpress.org/support/topic/nasty-javascript-obfuscated-redirect/#post-17402851) * Hi [@prokops](https://wordpress.org/support/users/prokops/), * I apologize, when I saw your reply I did forward your suggestion to the team but thought I’d let you know. All ideas such as this are discussed internally although we can’t update forum topics with progress. Our [changelog](https://wordpress.org/plugins/wordfence/#developers) is the best place to check specific updates in new plugin versions. * If the excluded file wildcard **was** added by an attacker, you may need to ** update the passwords for your hosting control panel, FTP, WordPress admin users, and database** no matter how you think they may have gained access. * Our free site cleaning instructions may also have some useful steps to help prevent a problem going forward, although you may have already dealt with this side of things before contacting us: [https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/) * Naturally, still reach out to **samples** if you find anything suspicious that Wordfence didn’t pick up. * Peter. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Nasty javascript obfuscated redirect’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 3 replies * 2 participants * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/) * Last activity: [2 years, 3 months ago](https://wordpress.org/support/topic/nasty-javascript-obfuscated-redirect/#post-17402851) * Status: resolved