Tutorials

How to Detect and Remove Cryptominers from WordPress

Learn to identify, remove, and prevent cryptocurrency mining malware that hijacks your WordPress site and visitor resources.

S
Sarah Chen
8 min read
2,371 views
Guide to detecting and removing cryptomining malware from WordPress

Introduction

Cryptojacking attacks inject cryptocurrency mining scripts into WordPress sites, secretly using visitor CPU resources to mine digital currency. These attacks slow down websites, increase server costs, and damage visitor trust.

Understanding Cryptojacking Attacks

Attackers deploy mining scripts through several methods:

  • Compromised plugins/themes - Malicious code hidden in pirated software
  • Injected JavaScript - Scripts added to theme files or database
  • Malvertising - Mining code in third-party advertisements
  • Supply chain attacks - Compromised CDN libraries
  • Server-level miners - Background processes on hosting server

Signs Your Site Has a Cryptominer

Watch for these indicators of cryptojacking infection:

  • Visitor complaints about slow page performance
  • High CPU usage reported by hosting provider
  • Browsers flagging your site as dangerous
  • Increased bounce rate from slow loading
  • Unknown JavaScript files in your installation
  • Suspicious network requests to mining pools

Detecting Cryptomining Scripts

Use these methods to find hidden miners:

Search Theme Files

// Common cryptominer signatures
$miner_patterns = array(
    'coinhive',
    'cryptoloot',
    'coin-hive',
    'minero.cc',
    'webminepool',
    'cryptonight',
    'coinimp',
    'crypto-loot',
    'miner.start',
    'CoinHive.Anonymous',
);

function scan_for_miners($directory) {
    global $miner_patterns;
    $infected = array();

    $files = new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator($directory)
    );

    foreach ($files as $file) {
        if ($file->isFile() && $file->getExtension() === 'php' ||
            $file->getExtension() === 'js') {
            $content = file_get_contents($file->getPathname());
            foreach ($miner_patterns as $pattern) {
                if (stripos($content, $pattern) !== false) {
                    $infected[] = $file->getPathname();
                    break;
                }
            }
        }
    }

    return $infected;
}

Check for Obfuscated Code

// Detect base64 encoded miners
function detect_obfuscated_miners($content) {
    // Look for suspicious base64 patterns
    preg_match_all('/[A-Za-z0-9+/]{50,}={0,2}/', $content, $matches);

    foreach ($matches[0] as $encoded) {
        $decoded = base64_decode($encoded);
        if (stripos($decoded, 'miner') !== false ||
            stripos($decoded, 'cryptonight') !== false) {
            return true;
        }
    }

    return false;
}

Removing Cryptomining Malware

Follow these steps to clean an infected site:

Step 1: Identify Infected Files

// Compare files against clean WordPress
function compare_core_files() {
    $version = get_bloginfo('version');
    $checksums_url = "https://api.wordpress.org/core/checksums/1.0/?version={$version}";
    $checksums = json_decode(file_get_contents($checksums_url), true);

    $modified = array();
    foreach ($checksums['checksums'] as $file => $hash) {
        $file_path = ABSPATH . $file;
        if (file_exists($file_path)) {
            if (md5_file($file_path) !== $hash) {
                $modified[] = $file;
            }
        }
    }

    return $modified;
}

Step 2: Clean Database

-- Search for miner scripts in posts
SELECT ID, post_title
FROM wp_posts
WHERE post_content LIKE '%coinhive%'
   OR post_content LIKE '%cryptoloot%'
   OR post_content LIKE '%miner.start%';

-- Check options table
SELECT option_name, option_value
FROM wp_options
WHERE option_value LIKE '%coinhive%';

Preventing Future Infections

Implement these preventive measures:

Content Security Policy

// Block unauthorized script sources
add_action('send_headers', function() {
    header("Content-Security-Policy: script-src 'self' https://trusted-cdn.com; connect-src 'self'");
});

Subresource Integrity

// Verify external script integrity
function add_sri_to_scripts($tag, $handle, $src) {
    $sri_hashes = array(
        'jquery' => 'sha384-...',
        'bootstrap' => 'sha384-...',
    );

    if (isset($sri_hashes[$handle])) {
        return str_replace(
            ' src=',
            ' integrity="' . $sri_hashes[$handle] . '" crossorigin="anonymous" src=',
            $tag
        );
    }

    return $tag;
}
add_filter('script_loader_tag', 'add_sri_to_scripts', 10, 3);

Server-Level Protection

  • Monitor server CPU usage for spikes
  • Block connections to known mining pools
  • Use security plugins with malware scanning
  • Keep all software updated

Conclusion

Cryptojacking attacks harm your visitors and your reputation. Regular scanning, Content Security Policy headers, and keeping software updated protect your WordPress site from becoming a cryptocurrency mining platform.

Share:
S
Written by Sarah Chen

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started