Title: WordPress compromised – popup malware attack Last modified: March 21, 2020 --- # WordPress compromised – popup malware attack * [jojojijijojo](https://wordpress.org/support/users/jojojijijojo/) * (@jojojijijojo) * [6 years, 2 months ago](https://wordpress.org/support/topic/wordpress-compromised-popup-malware-attack/) * Hi, So my wordpress website is compromised, when going to the main url, a popup window shows up and it redirects users to ads and malign websites. * Debugging my website homepage I found the following script called: * Request URL: [https://***/up/display.js](https://***/up/display.js) :path: / up/display.js * Which calls: Request URL: [https://cdn.***.***/link-converter.min.js](https://cdn.***.***/link-converter.min.js) * Which calls: Request URL: [https://***.com/pu-placer.js?t=1514302a73](https://***.com/pu-placer.js?t=1514302a73) * I check my files timestamp and none of them was modified, which makes me believe that the malware is actually injected into the database. * I disabled all plugins and the malware redirect seems to stop, does that confirm that the malware resides in the DB alone? seeing that none of the hosted files were modified? - This topic was modified 6 years, 2 months ago by [jojojijijojo](https://wordpress.org/support/users/jojojijijojo/). Viewing 4 replies - 1 through 4 (of 4 total) * [Smat Placid](https://wordpress.org/support/users/www_smatplacid_com/) * (@www_smatplacid_com) * [6 years, 2 months ago](https://wordpress.org/support/topic/wordpress-compromised-popup-malware-attack/#post-12568879) * FIRST step should be: having a backup! I you don’t have any yet, try to install e.g. “UpDraft” in free version and make a backup. * Usually root-files will be compromised first. Check ‘wp-config.php’, ‘wp-settings. php’, ‘index.php’ (and so on) and look for suspicous [@include](https://wordpress.org/support/users/include/) commands. * You can start with a IMO very good tool ‘Anti-Malware Security and Brute-Force Firewall’ <[https://wordpress.org/plugins/gotmls/>](https://wordpress.org/plugins/gotmls/>);. Its scanning all files in your WordPress-install. * What helps is to delete DIR “wp-admin” and “wp-includes” and re-upp theese DIRs from a zip – just to make sure this two folders are clean. * Thread Starter [jojojijijojo](https://wordpress.org/support/users/jojojijijojo/) * (@jojojijijojo) * [6 years, 2 months ago](https://wordpress.org/support/topic/wordpress-compromised-popup-malware-attack/#post-12568965) * Thanks Smat, * I found the culprit plugin, it was “Popup Builder – Responsive WordPress Pop up” When searching the database for “String.fromCharCode”, I found two results( sg_popup_scripts and sg_popup_options_preview) that included the malicious injected JS code, deleting it seems to solve this, but this could have been much much worse… * I’m still going to re-upload critical folders like you mentioned just in case. * [codersaurus](https://wordpress.org/support/users/codersaurus/) * (@codersaurus) * [6 years, 2 months ago](https://wordpress.org/support/topic/wordpress-compromised-popup-malware-attack/#post-12569072) * Also try to upload the last stable db dump. Additional mods could have been made to the db. Better safe than sorry. * All the best! * Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * (@sterndata) * Volunteer Forum Moderator * [6 years, 2 months ago](https://wordpress.org/support/topic/wordpress-compromised-popup-malware-attack/#post-12569083) * Trust nothing once your site has been compromised. * Get a fresh cup of coffee, take a deep breath and carefully follow [this guide](https://wordpress.org/support/article/faq-my-site-was-hacked/). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://wordpress.org/support/article/hardening-wordpress/). * If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple. Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘WordPress compromised – popup malware attack’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 4 replies * 4 participants * Last reply from: [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * Last activity: [6 years, 2 months ago](https://wordpress.org/support/topic/wordpress-compromised-popup-malware-attack/#post-12569083) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics