CRYPTOJACKING · WORDPRESS · REMOVED
WordPress cryptojacking removal.
A cryptojacker is a tiny script that turns every visitor’s browser into a mining rig. I find the loader, remove it, and add the right headers so it can’t be planted again. Flat $279.
MECHANISM
Your visitors mine cryptocurrency. The attacker keeps the rewards.
An in-browser cryptojacker is a small piece of JavaScript that runs WebAssembly mining code in the visitor’s browser. Fans spin up, batteries drain, the page feels sluggish — and the attacker is the only one who profits. Mobile visitors notice it first.
Most loaders are injected into theme files or into autoloaded wp_options rows so they fire on every page. Some are hosted off-site and loaded via a single 02 06 07 // A WebWorker pinning the CPU on every page load 08 // is the signature of an in-browser miner.
What I remove
Every loader, every variant.
-
TRIAGE
I load the site with a clean browser profile and watch CPU usage, network requests, and WebAssembly instantiations.
-
MINER
In-browser miner loaders removed from theme files, plugin assets, inline scripts, and active widgets.
-
DATABASE
Autoloaded wp_options payloads cleaned. Injected scripts in wp_posts removed.
-
HARDENING
Content-Security-Policy headers added to block off-domain script execution. Theme integrity verified.
-
GOOGLE
Safe Browsing reconsideration submitted if a warning was triggered. Search Console indexation re-requested.
-
REPORT
Plain-English forensic write-up, entry vector identified, list of every variant I removed.
Pricing
Cleanup
$279
flat, one-time, per site
Manual cleanup, entry-vector identification, written forensic report.
Start a cleanupMonitoring
$29 / mo
per site, cancel any time
Continuous monitoring, hardening, one cleanup per year included.
Get protectedPart of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.
See all services →Email [email protected] or use the contact form.