How to Clean hook_csssss Malware &

The recent WordPress infections, might’ve affected more than 1000 websites in the first day. According to PublicWWW, 2480 web pages show signs for this contamination.

MAGEFIX SecurityMalware cleanup & protection

Try our Free site check.

The first visible infected files are wp-blog-header.php and functions.php. To address the malware contamination clean these two files. Afterwards, core files, themes, and plugins need to be carefully analyzed and cleaned.

Review user accounts with admin rights, look for wpx username or [email protected] email address.
Find and delete “wp-felody” folder.
Review “Custom JS” section & make sure the WordPress Popup Builder plugin is up to date – versions less than 4.2.3 are vulnerable to Cross Site Scripting (XSS).

Malicious URLs:





Sucuri Sitecheck
Malware Found, Known javascript malware: malware.injection?35.62


<script id="sgpb-custom-script-YYY">jQuery(document).ready(function(){sgAddEvent(window, "YYYY"));};});});</script>


Malicious code found inside wp-felody.php, wp-blog-header.php

function hook_csssss() { echo '<script></script>

Malicious content is hidden, wrap text is necessary.

Malicious Javascript

Relevant articles:

Thousands of Sites with Popup Builder Compromised by Balada Injector

Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin

Try our Free site check.