Title: Injected code; can't remove
Last modified: August 22, 2016

---

# Injected code; can't remove

 *  [carolemagouirk](https://wordpress.org/support/users/carolemagouirk/)
 * (@carolemagouirk)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/)
 * Hello,
 * I have this code below my body element:
 *     ```
       <script type="text/javascript">
       //<![CDATA[
       try{(function(a){var b="http://",c="carolemagouirk.com",d="/cdn-cgi/cl/",e="img.gif",f=new a;f.src=[b,c,d,e].join("")})(Image)}catch(e){}
       //]]>
       </script>
       ```
   
 * I’ve disabled all of my plugins and checked my functions file, but it doesn’t
   go away and apparently, I’m the first person in google history to have this problem.
 * Any help would be greatly appreciated. I’m completely lost here. 🙁

Viewing 9 replies - 1 through 9 (of 9 total)

 *  [jack randall](https://wordpress.org/support/users/theotherlebowski/)
 * (@theotherlebowski)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949020)
 * what plugins/theme are you using?
 *  Thread Starter [carolemagouirk](https://wordpress.org/support/users/carolemagouirk/)
 * (@carolemagouirk)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949068)
 * Akismet
    Compress JPEG & PNG images (TinyPNG) Gallery Carousel Without JetPack
   W3 Total Cache WordPress SEO WP-Optimize
 *  [jack randall](https://wordpress.org/support/users/theotherlebowski/)
 * (@theotherlebowski)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949072)
 * i could be wrong but after a brief look about on the google it looks like CDATA[
   type stuff is used to make certain characters and strings usable in scripts where
   the script would normally interpret them as something else.
 * it looks like it’s doing something with your URL, capturing the http:// your 
   domain name, an image server location and an image source and bunging them all
   together. given all of that i have a sneaking feeling that it has something to
   do with the Gallery Carousel Without JetPack plugin, as this is a forked/hacked
   version of jetpack so it might be being forced to do things it’s not meant to(
   and as such may need to use some specialist code to make things available to 
   it’s main script…)
 * just for a quick test go back to the default theme and see if that gets rid of
   it and if not, try renaming the Gallery Carousel Without JetPack plugin folder
   on the server to see if it goes away after that…
 *  Thread Starter [carolemagouirk](https://wordpress.org/support/users/carolemagouirk/)
 * (@carolemagouirk)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949074)
 * Still there after switching to Twenty-fifteen, deactivating all plugins, and 
   deleting Gallery Carousel Without JetPack.
 * This and the fact that I can’t find more info about it leads me to believe it
   has to do with my hosting provider.
 * Thank you very much for your help. 🙂
 *  [denisotugo](https://wordpress.org/support/users/denisotugo/)
 * (@denisotugo)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949248)
 * got it in my site too, found it through google pagespeed.
    i think its a new 
   hack in wordpress
 *  [denisotugo](https://wordpress.org/support/users/denisotugo/)
 * (@denisotugo)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949249)
 * it your cloudflare scrape settings {SOLVED}
 *  Thread Starter [carolemagouirk](https://wordpress.org/support/users/carolemagouirk/)
 * (@carolemagouirk)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949257)
 * Hello denisotugo,
 * Can you be more specific about which cloudflare setting you changed to remove
   the javascript?
 * I turned on debug and also tried pausing cloudflare, but neither removed the 
   code which leads me to believe cloudflare is not the problem.
 * Thank you.
 *  [denisotugo](https://wordpress.org/support/users/denisotugo/)
 * (@denisotugo)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949263)
 * scrapeshield in the cloudflare apps for the domain that is having the problem.
   
   off all the settings then purge cache
 *  Thread Starter [carolemagouirk](https://wordpress.org/support/users/carolemagouirk/)
 * (@carolemagouirk)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949266)
 * Huzzah! Cheers to you!
 * I can confirm this solution works. Specifically, the “Page Content Protection”
   option under the ScrapeShield app was the culprit.
 * Thank you very much for the expert detective work, denisotugo!

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Injected code; can't remove’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 9 replies
 * 3 participants
 * Last reply from: [carolemagouirk](https://wordpress.org/support/users/carolemagouirk/)
 * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/injected-code-cant-remove/#post-5949266)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics