Help! My WordPress site is redirecting/opening windows to spam pages!

Websavers Inc

Today one of our techs was working on a website for one of our customers with Hands-On Support and came across a disturbing discovery: the website was opening a new window to a malvertising (malicious advertising) site. It would only happen on the first page load, and only when it registered a click on the page.

As part of our management service, we began executing a cleanup on the site. We’ve got a pile of processes for doing this, and all of them turned up… nothing. We checked with an antivirus tool, we used Sucuri’s SiteCheck, we used Wordfence, and then we manually reviewed a ton of files which are often targeted by attacks. Nothing turned up!

Next was to inspect the javascript files being loaded by the page, using the web inspector in my browser. I narrowed it down to: rhpop_1.1.42.js

That js file was loaded by hxxp:// clktag.com / adServe / banners?tid=SWTMPOP&tagid=2

That file was loaded by hxxp:// www.sweetcaptcha.com / api / v2/apps/csrf/24048

Wait a second.. Sweetcaptcha? That’s a plugin the site is using…

I disabled the plugin and the problem disappeared immediately. After doing a quick search, I found that SweetCaptcha had been hijacked and turned into a Spamvertising distribution tool.

So, if you’re getting these sort of malvertising popup windows, check to see if your site has Sweetcaptcha installed. If so, get rid of it!

Posted in ,

Allen Pooley

Allen is a self professed geek and technology lover. He's always playing with one of his various websites, and loves helping customers with theirs. He can often be found with a coffee (light roast, please) in his hand and a smile on his face... or trapped under a pile of yarn.
WS-Logo-only-image-large

About Websavers

Websavers provides web services like Canadian WordPress Hosting and VPS Hosting to customers all over the globe, from hometown Halifax, CA to Auckland, NZ.

If this article helped you, our web services surely will as well! We might just be the perfect fit for you.

Leave a Comment