It could be that your site has been hacked. Google offers help on how to find out if your site has been compromised and what to do about it: [support.google.com...]

WordPress sites are common targets because they are so easy to use for inexperienced new webmasters. There are several steps you can take to protect your WP site. I would concentrate first on finding and resolving the problem because it can result in your site being removed from the serps to prevent harming others. It can take time to get it approved again. Removing your AdSense ads was a smart thing to do.

It sounds like possibly a cross site scripting XSS issue, but I could be wrong. There are many WP XSS vulnerabilities that could allow popup windows and more. In fact, XSS vulnerabilities are very common on web sites. I would run your WP site name through a WP scanner such as wpscans.com and see if you have a vulnerability.

You might also consider implementing a Content Security Policy CSP in your header. This basically whitelists all the sites that should be included within your website. The client browser will look at your CSP, and if there is a site that is not explicitly stated, such as your Moroccan site, it therefore does not load it, i.e. no popups. While not difficult to install on WP, the CSP can be very detailed to implement, as if you forget to whitelist someone that you need, their content will not appear on your site! All 3d party content embedded into your site, such as Google site translation, is denied as unsafe.

I do not know how a CSP would be affected by your Adsense plan.

If your client's PCs are infected with Adware, there's not much you can do. They need to fix the problem. Do these two clients experience ads when viewing other sites, or when they are not using the internet? Just ensure that your site is not sending out these ads.

[edited by: TorontoBoy at 2:47 pm (utc) on Jul 30, 2017]

Hi guys, thank you for your answers.

I have security plugins installed on my website and all the scans show that there is no security issue.

No malicious JavaScript
No malicious iFrames
No suspicious redirections
No blackhat SEO spam
No anomaly detection

I think this is a client-side issue and nothing much i can do to prevent the issue since my site core is totally clean.

Guys I am confused, any recommendation pleaaaaase?

If your site has no issues, you can't "do" much about it. People have been downloading malware as long as there has been a public internet. Have you researched your plugins [wpvulndb.com] and kept everything up to date? Have you viewed your directories to ensure there are no new files that you did not upload? Once you are sure your site is clean, that is the extent of your involvement.

Yes! The plugins, the theme and wordpress are up to date.

securi says "We identified that some of your WordPress core files were modified. That might indicate a hack or a broken file on your installation."


Here is the modification details :

PHP Version: 5.6.30
Version: 4.8
Running on: nginx/1.12.1
Powered by: W3
Wordpress Version 4.7.x/4.8 based on: site-doamin/wp-admin/js/editor-expand.js


WordPress Integrity (1)

File Size : (green Flag) 43.93K
Modified : At July 30, 2017 6:36 pm
File Path : wp-admin/error_log


It is noteworthy to mention that whenever i delete the file it get back again.

What should I do?

Around 70% of all vulnerabilities are your plugins. That a plugin is telling you that all is Ok is, well, not that credible. But this is your site. I use 3d party tools that use the wpvulndb database. WP security is much more complex than just installing yet another plugin.

what should i do sir ?

See what error is shown in the error_log. It keeps recreating itself because it has an additional error to show you. If you download the file and rename it to error_log.txt you should be able to read it in a decent text editor.

If you download the file and rename it to error_log.txt

Or just tell your computer that anything with the .log extension should be opened in {text editor of your choice}.

Sounds like it's not at your site, but on your computer. You likely downloaded malware to your local machine. Run your antivirus and/or malicious software program and see what it turns up.

No viruses are detected on my local machine, but so many tracking cookies and most of them are ad cookies.

To scan my site i used Malwarebytes, HitmanPro, norton security scan and Zemana AntiMalware.

It seems that everything's fine since i deleted the tracking cookies and prevent them from being installed on my computer. As a result, wp stats stopped recording clicks from such redirect viruses in last 12hr.

i will keep you updated