How to Clean tagDiv Composer Malware

According to the PublicWWW engine, there are approx. 81513 sites using the Newspaper theme and tagDiv plugin – more than 4600 sites still show signs of contamination.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

How to clean a website affected by tagDiv and Newspaper vulnerabilities.

  1. Backup the infected site, including database and web files – keep everything, including any suspicious file.
  2. Restore core files, plugins and themes, one by one, manually, making sure you’ll not use any files from the backup – start fresh. You may restore wp-config.php after a quick check.
  3. Make sure the /uploads/ folder is malware-free, look for .php & .zip files.
  4. After you got back a working WordPress site, check the dashboard and remove any suspicious admin users.
  5. Backup and review the wp_options table, it should include obfuscated code. Find and remove any malicious injection.
  6. Ask for a reindex via Google search console.
  7. Apply all the security updates available and use PHP version 7.4 or greater.
  8. Use Search Replace DB ver. 4.1.3 to replace malicious code inside wp_options.
  9. Scan all the sites hosted on the same server for cross-site contamination. If other sites are affected, isolate them and repeat the cleanup process for each.

If you seek professional help with cleanup and security updates, check our Platinum plan.
Magefix Platinum

Malicious URLs:

Malicious IPs:,, 80.66.79[.](247|253) Hyper Hosting SRL > ( AS44477 )

Malicious subdomains

Other domains used to inject malware inside the “tdw-css-placeholder” section. All are blacklisted by Sucuri Labs.

fromCharCode obfuscated code inside tdw-css-placeholder:

Malicious files & plugin folders:, wp-zexit, wp-swamp.
wp-admin/js/custom-header.js, wp-includes/script-loader.js, wp-includes/js/wp-custom-header.js


byu/cdbessig inWordPress

SiteCheck Sucuri
Malware Found, Known javascript malware: malware.injection?35.54
Known malware: malware.injection?35.59
Resource from a blacklisted domain



How this malware works:

Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins

Twitter @500mk500

Decoded malware

Need help?

Try our Free site check.