This is the most common scenario that the owner of a wordpress website don’t know that their website is infected. In most cases they know it from hosting alert notification or from Google when they try to run a campaign and Google just say like this, “Disapproved: Malicious or unwanted software”

Malicious or unwanted software: To help ensure the safety and security of our users, we’ve disapproved your ad because it contains malicious software (malware) or because your landing page is known to host or distribute malware in violation of our policies. We strongly encourage you to investigate this issue immediately in order to protect yourself as well as your customers. To run your ad, follow these instructions to check your computer for malware, remove all malicious code from your ad and site, and submit your site and ads for review: https://support.google.com/adspolicy/answer/6020954#311″

Google certainly won’t tell you the exact issue or malicious external links, files path they found in the that message. You have to contact with Google to get the details.

Then Google will provide you some external links or files path may be…But don’t be so happy! You won’t be able to find out those links or files in your website so easily by scanning file system or database. Most of plugins, custom script are not able to identify those links.

That’s don’t mean that those links are not identifiable! Only security experts who working for wordpress security can identify the root of issue.
Just try yourself to find out and if you can’t, tell us! We will do it for you 🙂

In most cases the external links you are actually called by javascript. That script may be hidden at end of every post, pages, themes / plugins .js files or just in hacker’s uploaded files.

You can see the list of known malicious script and the injected / infected areas here. That may help you to recognize a malicous script and most common area of injection/ infection.

Script Injected in Infected files/Backdoor Date of Detection
[tcb-script type=”text/javascript” src=”https://is.gd/qlWAtZ”][/tcb-script] End of every post Shell in root directory 10.30.18
script src=”https:// db.allyouwant.online/main.js”> End of every post Every .js files on there server is infected 08.09.18
script src=”//go.oclasrv.com/apu.php?zoneid=1694479 wp-temp.php file wp-temp.php file 01.11.18
script src=”//fortpush.com/ntfc.php?p=1694481 wp-temp.php file wp-temp.php file 01.11.18