What is Iframe Injection?

A couple of weeks ago I mentioned howmemwg.com had been flagged by Google as being a “bad” site because it was hosting “malware”. This wasn’t something I had done, the site was subject to aniframe injection. It took me a while to find and fix the problem, but since I’ve had some questions about iframe injections here is a quick and dirty guide to dealing with them.

The “iframe” Tag

The <iframe> tag is an HTML tag used to seamlessly embed content from another page or site. (The “i” in “iframe” stands for “invisible”, i.e. “invisible frame”.) IFrames are used on thousands and thousands of sites, because that’s what Google uses for its AdSense ads — the little bit of JavaScript you paste on your page eventually ends up inserting an <iframe> into the HTML of your page.

Like most useful things, IFrames can be used for good or for bad.


An injection is something inserted by a third party into a website. The most common kind of injection is a “SQL injection”, which is an injection into a database (SQL is the language commonly used to program and access databases… many people pronounce it as “sequel“, by the way, which is why I say “a SQL injection” as opposed to “an SQL injection”.)

Most injections are SQL injections. If a website developer isn’t careful, they can easily leave backdoors open that nefarious types can use to insert random data into a database… or even worse do things like wipe out the database.

WordPress blogs are ripe for iframe injections, since they’re backed by a database…

IFrame Injections

An iframe injection is an injection of one or more iframe tags into a page’s content. The iframe typically does something bad, such as downloading an executable application that contains a virus or worm in it… something that compromises a visitor’s system.

If you have a very recent browser (like Firefox 2) then iframe injections aren’t really a worry — these browsers are smart enough not to automatically download and run applications without your permission. But older browsers are more trusting.

Finding IFrame Injections

To find iframe injections, look through the HTML your web server is sending. Open a page in your browser and then use the browser’s “view source” option to see the HTML. Look for <iframe> tags. Injections usually insert iframes that point to raw IP addresses (something like “″) instead of domain names. Treat these as suspicious.

Once you’ve found an iframe and have determined that it’s not legitimate, you have to remove it from the page or database it’s coming from. On a WordPress blog you simply edit the page in question and look for the &lgt;iframe> and remove it.

That’s pretty much it. Keeping your WordPress (or other database-backed software) up-to-date with the latest fixes is the best way to avoid these kinds of problems.

Was this answer helpful?

 Print this Article

Also Read

Do you allow Bulk Mail sending?

We strictly do not allow the Bulk Mail sending, we will categorize the bulk mail sending as...

What is phising?

phishing is the criminally fraudulent process of attempting to acquire...

What is XSS (cross-site Scripting)?

Cross-site scripting (XSS) is a type of computer...

Suggestion how to stop spam emails to your email account

1. You can enable SPF records (by default it has been enabled automatically)2. You can set the...

What is SQL Injection? and How to Prevent it?

SQL injection is a code injection technique that exploits a security...