What is cryptojacking?

Cryptojacking is when a website secretly uses your visitors’ CPU to mine cryptocurrency. The attacker collects the rewards. Your visitors get heat, battery drain, and a slow page.

Will my visitors notice?

Yes, eventually. Mobile users notice first because their phones get hot and battery drops fast. Desktop users see fan spin-up and sluggish browsers. Both leave.

Does the miner affect my server?

Indirectly. The mining itself runs in visitors’ browsers, so your server’s CPU is fine. But the loader is malware, which means the entry vector that planted it can be used for worse things.

How did this get on my site?

Almost always through a vulnerable plugin or stolen admin credentials. The report names the exact path.

// CRYPTOJACKING · WORDPRESS · REMOVED

WordPress cryptojacking removal.

A cryptojacker is a tiny script that turns every visitor’s browser into a mining rig. I find the loader, remove it, and add the right headers so it can’t be planted again. Flat $279.

Start a cleanup → How cryptojackers work

§ 01 — MECHANISM

Your visitors mine cryptocurrency. The attacker keeps the rewards.

An in-browser cryptojacker is a small piece of JavaScript that runs WebAssembly mining code in the visitor’s browser. Fans spin up, batteries drain, the page feels sluggish — and the attacker is the only one who profits. Mobile visitors notice it first.

Most loaders are injected into theme files or into autoloaded wp_options rows so they fire on every page. Some are hosted off-site and loaded via a single 02 06 07 // A WebWorker pinning the CPU on every page load 08 // is the signature of an in-browser miner.

§ 02 — WHAT WE REMOVE

Every loader, every variant.

[ TRIAGE ]

I load the site with a clean browser profile and watch CPU usage, network requests, and WebAssembly instantiations.
[ MINER ]

In-browser miner loaders removed from theme files, plugin assets, inline scripts, and active widgets.
[ DATABASE ]

Autoloaded wp_options payloads cleaned. Injected scripts in wp_posts removed.
[ HARDENING ]

Content-Security-Policy headers added to block off-domain script execution. Theme integrity verified.
[ GOOGLE ]

Safe Browsing reconsideration submitted if a warning was triggered. Search Console indexation re-requested.
[ REPORT ]

Plain-English forensic write-up, entry vector identified, list of every variant I removed.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →