@coxie – thanks for that addition! That was really helpful.
I was still seeing the issue after removing the malicious ‘wp-felody’ plugin. It wasn’t until I’d checked our pop-up code that we spotted the malicious CSS additions there.
The site had a one-time-only, home page pop-up, and as a result, the redirect was only happening intermittently, the first time someone went onto the home page. On next page view, the pop-up wouldn’t load and the malicious redirect CSS wasn’t triggered.
Additionally, I found that it was only happening for iPhone Safari users, so had to use BrowserStack to replicate the issue as I’m on Android & Windows devices.
Our full list of fix tasks was:
- Scan for vulnerabilities using WordFence.
- Remove the ‘wp-felody’ plugin completely.
- Check all pop-ups and remove any unexpected additional CSS/JS.
- Test using BrowserStack free version to check other device types.
