threatover Patrik Grobshäuser

CRYPTOJACKING · WORDPRESS · REMOVED

WordPress cryptojacking removal.

A cryptojacker is a tiny script that turns every visitor’s browser into a mining rig. I find the loader, remove it, and add the right headers so it can’t be planted again. Flat $279.

MECHANISM

Your visitors mine cryptocurrency. The attacker keeps the rewards.

An in-browser cryptojacker is a small piece of JavaScript that runs WebAssembly mining code in the visitor’s browser. Fans spin up, batteries drain, the page feels sluggish — and the attacker is the only one who profits. Mobile visitors notice it first.

Most loaders are injected into theme files or into autoloaded wp_options rows so they fire on every page. Some are hosted off-site and loaded via a single 02 06 07 // A WebWorker pinning the CPU on every page load 08 // is the signature of an in-browser miner.

What I remove

Every loader, every variant.

  • TRIAGE

    I load the site with a clean browser profile and watch CPU usage, network requests, and WebAssembly instantiations.

  • MINER

    In-browser miner loaders removed from theme files, plugin assets, inline scripts, and active widgets.

  • DATABASE

    Autoloaded wp_options payloads cleaned. Injected scripts in wp_posts removed.

  • HARDENING

    Content-Security-Policy headers added to block off-domain script execution. Theme integrity verified.

  • GOOGLE

    Safe Browsing reconsideration submitted if a warning was triggered. Search Console indexation re-requested.

  • REPORT

    Plain-English forensic write-up, entry vector identified, list of every variant I removed.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.