How to Detect and Remove WordPress Site Redirect Hack

If you notice that your website starts redirecting users to unknown websites, it is likely it was hacked. WordPress site redirect hack is one of the most exploited attacks among WP hackers. It has different variations and symptoms that we will discuss in this post. 

WordPress site redirect hack is not a new type of attack in the WP world. However, it has significantly evolved, making it hard or impossible for website owners to detect it without using some WordPress redirect hacks.

Let’s consider the most common types of WordPress site redirect hacks and their symptoms:

• Classic redirection hack. It’s one of the most common WordPress redirect hacks that have been around for the longest time. It works like this: when someone visits your website, they are redirected to questionable URLs of pharma sites or websites with adult content. 
• Redirection via search results. When users open the URL address of a hacked website in Google search, they are taken to malicious web resources.
• Redirection based on devices people use for web browsing. In this case, the website redirects users only when they visit a website using a specific type of device, like only mobile-based or desktop-based visits. 
• Push notifications hack is one of the most recent and innovative WordPress site redirect hacks. It redirects website visitors to malicious sites using push notifications. 
• Redirects that work only for specific geographies. Geography-wise hackers can adjust malware redirects to be applied only to users that come to your website based on specific geographic locations. 

How Was Your Site Infected? 

There are dozens of methods attackers can use to perform WordPress site redirect hacks. Let’s consider some of the most common approaches.

• Stored Cross-site Scripting (XSS) in WordPress plugins and other vulnerabilities let hackers add malicious JavaScript code to websites. When a hacker finds out that that a plugin is vulnerable to XSS, they find all websites that use the plugin and attack them. 
• When a website is scanned for malware, more often than not security plugins ignore the .htaccess and wp-config.php files. Hackers put the malicious code in files to not find it unless you scroll a lot to the right. For example, WordPress sites redirecting visitors to pharma hacks commonly feature the malicious code stored in the.htaccess files, widely distinguished as a normal code. 
• Malicious code can be added to a WordPress site through JavaScript inserted in the site’s header or body. 
• Sometimes hackers create fake or ghost admin accounts to access wp-admin. When hackers become administrators on your site, they get full access to your site’s settings, sensitive data, and code. 

How to Scan WordPress Site for Malicious Redirects 

To scan your website for malicious code, you need to identify how your website was infected and what kind of malicious redirects it faces. Once identified, proceed to the steps described below. They will help you identify malicious code and remove it from your site.

Using WordPress malware scanners may be the fastest and easiest way to scan, find, and remove malicious code from your WordPress site. Plugins like Astra should come in handy for this purpose. Astra’s free Security Scanner will notify you if your website has any malicious code snippets. If you look forward to identifying and removing redirection hacks manually, the following hacks should come in handy for you. 

Running a file integrity check using WP-CLI, you can see if any malicious code has been added to your site’s core files. To verify WP core file integrity, take the following steps: 

1. Login to your server via SSH.
2. Install WP-CLI.
3. Change directory to the location of your WP site
   cd /var/www/html/
4. Use the “wp core version” command to check your current WordPress version.
5. Use the “wp core verify-checksums” command to get a list of files, which checksum doesn’t match the original WordPress release. Check the output of the command. If you find some warnings, it’s okay. If core files do not match checksums, you will need to replace your core files or restore a backup.

Using the Astra plugin, you can visually check the difference between the original CMS file and the actual file.

Hackers usually leave backdoors to get back to your WordPress site. These are commonly named legitimate files, which you can detect while running a manual search within your site’s file. You can search for such malicious PHP functions as eval, base64_decode, gzinflate, preg_replace, str_rot13, eval, etc. WordPress plugins use all these functions for legitimate reasons. Check twice before removing any of them so that you do not break your site accidentally. 

Login to your WordPress site’s admin area and check if any unknown administrators have been added. Hackers can add themselves as admins to your site to get access to your WordPress admin area and reinfect it after removing the redirection hack. If you find any such users, remove them immediately and change login credentials for all users who are allowed to access your site’s admin area. 

Check plugins and themes for vulnerabilities. Check the list of WordPress plugins installed on your site. If you notice any solutions that you have never added to your site, delete them straight away. For plugins that have updates available for installation, check if any security issues have been found recently. Check plugin files for backdoors and redirections, as we have previously discussed. 

You can also use tools like diff checker to compare your plugin files with their original versions. To compare, download the plugins installed on your website from the WordPress directory and match them against the solutions used on your site. 

Last but not least useful solution is to search databases for malicious links. For this, log in to phpMyAdmin or Adminer and search for such terms as <script>, eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Be very attentive and careful when you decide to bring any changes to the code because a simple typo or an extra space can break your site from loading the function properly. 

How to Remove Malicious Code from a Hacked WordPress Site

1. First of all, create a backup of the current version of your WordPress site, even if you feel like it’s been infected. 
2. Use the File Manager provided within cPanel or traditional methods such as (s)FTP or SSH to log in to your server and quarantine the malicious files. 
3. Identify the malicious code in the files stored on your site (as explained in the steps above) and remove the infected bits of files or the code. If you discover that the whole file was infected, delete it completely. 
4. If you find multiple files infected with the same bit of malicious code, use the find & sed Linux commands via SSH.
   
   Example:
   find /path/to/your/folder -name “.js” -exec sed -i “s//ReplaceWithMalwareCode*//n&/g” ‘{}’ ;
5. Purge the website cache after cleaning all files on your site.

Once you complete all steps described above, verify that your website no longer redirects your visitors to malicious sites. Browse your site in incognito mode for better verification.