How to Detect and Remove WordPress Site Redirect Hack

If you notice that your website starts redirecting users to unknown websites, it is likely it was hacked. WordPress site redirect hack is one of the most exploited attacks among WP hackers. It has different variations and symptoms that we will discuss in this post. 

WordPress site redirect hack is not a new type of attack in the WP world. However, it has significantly evolved, making it hard or impossible for website owners to detect it without using some WordPress redirect hacks.

Let’s consider the most common types of WordPress site redirect hacks and their symptoms:

  • Classic redirection hack. It’s one of the most common WordPress redirect hacks that have been around for the longest time. It works like this: when someone visits your website, they are redirected to questionable URLs of pharma sites or websites with adult content. 
  • Redirection via search results. When users open the URL address of a hacked website in Google search, they are taken to malicious web resources.
  • Redirection based on devices people use for web browsing. In this case, the website redirects users only when they visit a website using a specific type of device, like only mobile-based or desktop-based visits. 
  • Push notifications hack is one of the most recent and innovative WordPress site redirect hacks. It redirects website visitors to malicious sites using push notifications. 
  • Redirects that work only for specific geographies. Geography-wise hackers can adjust malware redirects to be applied only to users that come to your website based on specific geographic locations. 

How Was Your Site Infected? 

Attackers can use dozens of methods to perform WordPress site redirect hacks. Let’s consider some of the most common approaches.

  • Stored Cross-site Scripting (XSS) in WordPress plugins and other vulnerabilities let hackers add malicious JavaScript code to websites. When a hacker finds out that a plugin is vulnerable to XSS, they find all websites that use the plugin and attack them. 
  • When a website is scanned for malware, security plugins often ignore the .htaccess and wp-config.php files. Hackers put the malicious code in files to not find it unless you scroll a lot to the right. For example, WordPress sites redirect visitors to pharma hacks that commonly feature the malicious code stored in the.htaccess files, widely distinguished as normal code. 
  • Malicious code can be added to a WordPress site through JavaScript inserted in the site’s header or body. 
  • Sometimes hackers create fake or ghost admin accounts to access wp-admin. Hackers who become administrators on your site get full access to your site’s settings, sensitive data, and code. 

How to Scan WordPress Site for Malicious Redirects 

To scan your website for malicious code, you need to identify how it was infected and what kind of malicious redirects it faces. Once identified, proceed to the steps described below. They will help you identify malicious code and remove it from your site.

Using WordPress malware scanners may be the fastest and easiest way to scan, find, and remove malicious code from your WordPress site. Plugins like Astra should come in handy for this purpose. Astra’s free Security Scanner will notify you if your website has any malicious code snippets. If you look forward to manually identifying and removing redirection hacks, the following hacks should come in handy for you. 

Running a file integrity check using WP-CLI, you can see if any malicious code has been added to your site’s core files. To verify WP core file integrity, take the following steps: 

  1. Login to your server via SSH.
  2. Install WP-CLI.
  3. Change directory to the location of your WP site
    cd /var/www/html/
  4. Use the “wp core version” command to check your current WordPress version.
  5. Use the “wp core verify-checksums” command to get a list of files, which checksum doesn’t match the original WordPress release. Check the output of the command. If you find some warnings, it’s okay. If core files do not match checksums, you must replace your core files or restore a backup.

Using the Astra plugin, you can visually check the difference between the original and actual CMS files.

Hackers usually leave backdoors to get back to your WordPress site. These are commonly named legitimate files you can detect while running a manual search within your site’s file. You can search for such malicious PHP functions as eval, base64_decode, gzinflate, preg_replace, str_rot13, eval, etc. WordPress plugins use all these functions for legitimate reasons. Check twice before removing any of them so you do not accidentally break your site. 

Login to your WordPress site’s admin area and check if any unknown administrators have been added. Hackers can add themselves as admins to your site to get access to your WordPress admin area and reinfect it after removing the redirection hack. If you find any such users, remove them immediately and change login credentials for all users who can access your site’s admin area. 

Check plugins and themes for vulnerabilities. Check the list of WordPress plugins installed on your site. If you notice any solutions you have never added to your site, delete them immediately. For plugins that have updates available for installation, check if any security issues have been found recently. Check plugin files for backdoors and redirections, as we have previously discussed. 

You can also use tools like diff checker to compare your plugin files with their original versions. To compare, download the plugins installed on your website from the WordPress directory and match them against the solutions used on your site. 

Last but not least useful solution is to search databases for malicious links. For this, log in to phpMyAdmin or Adminer and search for such terms as <script>, eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Be attentive and careful when you decide to bring any changes to the code because a simple typo or extra space can prevent your site from loading the function properly. 

How to Remove Malicious Code from a Hacked WordPress Site

  1. First of all, create a backup of the current version of your WordPress site, even if you feel like it’s been infected. 
  2. Use the File Manager provided within cPanel or traditional methods such as (s)FTP or SSH to log in to your server and quarantine the malicious files. 
  3. Identify the malicious code in the files stored on your site (as explained in the steps above) and remove the infected bits of files or the code. If you discover that the whole file was infected, delete it completely. 
  4. If you find multiple files infected with the same bit of malicious code, use the find & sed Linux commands via SSH.

    Example:
    find /path/to/your/folder -name “.js” -exec sed -i “s//ReplaceWithMalwareCode*//n&/g” ‘{}’ ;
  5. Purge the website cache after cleaning all files on your site.

Once you complete all steps described above, verify that your website no longer redirects your visitors to malicious sites. Browse your site in incognito mode for better verification.

WordPress Site Redirect Hack FAQ

Why is removing malicious redirects from your WordPress site so important?

By removing malicious redirects from a WordPress site, you can ensure that your site remains secure and that your users have a positive experience when visiting your site, in addition to maintaining a good reputation and compliance with laws and regulations.

Removing malicious redirects from a WordPress site is essential for several reasons:
1) Malicious redirects can lead users to unwanted or potentially harmful websites, negatively impacting the user experience and damaging the website’s reputation.
2) Malicious redirects can also hurt a website’s search engine ranking, as search engines may penalize sites that are found to be redirecting users to unwanted or malicious content.
3) Malicious redirects can also launch phishing and malware attacks on users, stealing personal information and infecting users’ computers.
4) A site that redirects visitors to malicious or unwanted websites can be blacklisted by security software and browsers, making the site inaccessible to visitors and affecting your brand reputation.
5) In some cases, redirecting visitors to unwanted or malicious websites may violate certain laws or regulations, which could lead to fines or penalties.

How to prevent a WordPress site from redirecting to spam?

To prevent a WordPress site from redirecting to spam, there are a few steps you can take:

Keep your WordPress installation and all plugins and themes up to date. Outdated software can have security vulnerabilities that can be exploited by spammers.
Use a security plugin, such as Wordfence or Sucuri, to monitor your site for suspicious activity and block known spam IP addresses.
Use a strong, unique username and password for your WordPress admin account. Avoid using “admin” as your username.
Remove any plugins or themes that you are not using, as they can be a potential security risk.
Regularly backup your site so that you can restore it to a previous version if it becomes compromised.
Be cautious when installing new plugin or themes, check the reputation of the author, and the reviews to make sure they are not malicious.
Consider using a web application firewall (WAF) to protect your website against common web attacks.
Finally, stay vigilant and keep an eye out for any suspicious redirects or other unusual activity on your site.

More articles by themes
If you notice your WordPress website doesn’t load as fast as it used to, chances are its performance is...
Security is all we need. There are many ways to make your website a safer place on the Internet....
Online shopping is the future of retail. According to the online shopping statistics for 2023, 2.14 billion people worldwide...

Contact

Feel free to reach out with a member of our team! We are excited to begin our collaboration!
Alex Osmichenko
Alex Osmichenko
CEO, Founder
Dima Osmichenko
Dima Osmichenko
COO
Clutch Logo
Reviewed on Clutch

Send a Project Brief

Fill out and send a form. Our Advisor Team will contact you promptly!

    Note: We will not spam you and your contact information will not be shared.