Help! My WordPress site is redirecting/opening windows to spam pages!
Today one of our techs was working on a website for one of our customers with Hands-On Support and came across a disturbing discovery: the website was opening a new window to a malvertising (malicious advertising) site. It would only happen on the first page load, and only when it registered a click on the page.
As part of our management service, we began executing a cleanup on the site. We’ve got a pile of processes for doing this, and all of them turned up… nothing. We checked with an antivirus tool, we used Sucuri’s SiteCheck, we used Wordfence, and then we manually reviewed a ton of files which are often targeted by attacks. Nothing turned up!
Next was to inspect the javascript files being loaded by the page, using the web inspector in my browser. I narrowed it down to: rhpop_1.1.42.js
That js file was loaded by hxxp:// clktag.com / adServe / banners?tid=SWTMPOP&tagid=2
That file was loaded by hxxp:// www.sweetcaptcha.com / api / v2/apps/csrf/24048
Wait a second.. Sweetcaptcha? That’s a plugin the site is using…
I disabled the plugin and the problem disappeared immediately. After doing a quick search, I found that SweetCaptcha had been hijacked and turned into a Spamvertising distribution tool.
So, if you’re getting these sort of malvertising popup windows, check to see if your site has Sweetcaptcha installed. If so, get rid of it!
Posted in News & Info, Security
About Websavers
Websavers provides web services like Canadian WordPress Hosting and VPS Hosting to customers all over the globe, from hometown Halifax, CA to Auckland, NZ.
If this article helped you, our web services surely will as well! We might just be the perfect fit for you.