This is the most common scenario that the owner of a wordpress website don’t know that their website is infected. In most cases they know it from hosting alert notification or from Google when they try to run a campaign and Google just say like this, “Disapproved: Malicious or unwanted software”

Malicious or unwanted software: To help ensure the safety and security of our users, we’ve disapproved your ad because it contains malicious software (malware) or because your landing page is known to host or distribute malware in violation of our policies. We strongly encourage you to investigate this issue immediately in order to protect yourself as well as your customers. To run your ad, follow these instructions to check your computer for malware, remove all malicious code from your ad and site, and submit your site and ads for review:″

Google certainly won’t tell you the exact issue or malicious external links, files path they found in the that message. You have to contact with Google to get the details.

Wait for Google ads support to write you back! They will provide you some external links or files path may be…But don’t be so happy! You won’t be able to find out those links or files in your website so easily by scanning file system or database. Most of plugins, custom script are not able to identify those links.

That’s don’t mean that those links are not identifiable! Only security experts who working for wordpress security can identify the root of issue.
Just try yourself to find out and if you can’t, tell us! We will do it for you 🙂 (But that cost! sorry about that 🙁 )

In most cases the external links you are actually called by javascript. That script may be hidden at end of every post, pages, themes / plugins .js files or just in hacker’s uploaded files.

Take a look below, we gathered some sample for you that may help you to figure it out! List of known malicious script and the injected / infected areas here. That may help you to recognize a malicious script and most common area of injection/ infection.

ScriptInjected inInfected files/BackdoorDate of Detection
[tcb-script type=”text/javascript” src=””][/tcb-script]End of every postShell in root directory10.30.18
script src=”https://”>End of every postEvery .js files on there server is infected08.09.18
script src=”// filewp-temp.php file01.11.18
script src=”// filewp-temp.php file01.11.18