It is apparently a 3-level deep obfuscation of some website redirection that failed, because Wordpress faithfully encoded it rather than inserting directly.
- hack1.js is the code that appears visually in the webpage.
- hack2.js is the content of variable
- hack3.js is the content of variable
- hack4.js is the content of variable
decthat gets executed via
(new Function(dec))();in hack3.js