911 Hack Removal

PHP Redirect Hack? Here is What You Can Do to Fix It

Updated on: April 6, 2021

PHP Redirect Hack? Here is What You Can Do to Fix It

Is your PHP website redirecting users to some malicious website? It might be a case of a PHP redirect hack. PHP redirect hack is one of the most executed and exploited hacks on PHP websites. In this hack, users get redirected to an array of malicious websites, from adult content to counterfeit product sellers. Usually, the intention of a hacker behind this malicious code insertion is to generate advertising revenue or impressions.

However, most of these malicious websites are capable of inflicting harm to your users too. They can be deceived to reveal sensitive information, click on a harmful ad, download malware, and so on. At best, you lose website traffic and your customer loses their time and trust in your website.

Related Guide – Complete Guide on PHP Malware Removal

Sometimes, a skilled hacker disguises redirection from the website owner. So the website might be loading fine for you while redirecting your visitors simultaneously.

That said, in most cases, this is how your website looks like after a PHP redirect hack has hit it.

Redirect hack examples; Source: Astra

But, how would you know your website is under attack in all other redirection cases? And how do you fix it? That is precisely what we are going to talk about in this article today.

First, let’s understand the different types of PHP redirect hack.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

Types of PHP redirect hack

There are various redirection hack types that can land your website into trouble. Here are our top three:

1. Device-specific redirections

Some of the re-directions act differently on a desktop than on a phone. There is a possibility that you won’t even see the website being directed on a mobile phone. It comes down to the type of malware injected, which decides the kind of devices it works on.

2. Hack through Push Notifications

Sometimes a compromised website can show push notifications, which in turn redirect the users to a malicious website.It is one of the most common ways to carry out PHP redirect hack.

3. Redirection as per geography

When certain hackers want to target visitors from a particular geography, the websites get redirected in the said geography only. This means that if City A is in the hit-list, the users of City B may not face redirection at all, or they might get redirected to a different link altogether.

Some of the owners come to know about a hack only when customers start complaining about landing on unfamiliar websites. That is how subtle it is. In such a scenario it becomes very important to see the possible areas where a PHP redirect hack can affect and what allows such a hack to take place.

Ways a PHP Redirect Hack take place

There are various reasons that can lead to the redirection of your website. Some of them are discussed below:

1. By insertion of malicious JavaScript

The hackers can include a malicious script to your website’s JavaScript entries, which leads to redirection that we know as PHP redirect hack. You can identify the script that is performing all those malicious redirects and make your website redirection free.This is how a malicious JavaScript looks like:

Image Source: Astra

2. By infecting .htaccess files by inserting malicious code

Free security plugins tend to ignore the .htaccess files and that is what the attackers take advantage of. Malicious code is added to .htaccess files, which look like any other normal code. It is placed in such a manner that it is difficult to find, which makes the removal more complex.

3. By hacking their way into the admin panel

Poorly audited websites can have vulnerabilities that may lead to privilege escalation. The hackers leverage this vulnerability and add themselves as ghost admins users to your website. These access privileges allow them to create backdoors and execute PHP redirect hack.

5-step PHP redirect hack removal process

We hate to see your business suffer for something that could have been avoided easily. For the same reason, here are the five things that you can do to get yourself out of the ‘hacked’ zone.

1. Get your site scanned

You can either scan your website manually or seek expert help. Letting the experts do their job is the easiest way to go about it.

If you are planning to scan your website on your own, you can use Secure Scanners available online. This will also help you get a quick list of some of the malicious codes found on your website.

2. Check for new admins

Login to your Administrator panel and see if there are any new users that you don’t recognize. If that is the case, delete the unknown accounts and immediately change all passwords.

If you are using WordPress, and have no requirement for ‘Anyone can register’ functionality, the best thing to do is, disable it. While you are at it, set ‘New User Default Role’ to Subscriber as well.

3. Hunt down malicious links in your database

Your database can also be the source of a PHP redirect hack. To verify it, login to PhpMyAdmin and search for the following terms:

<script>, eval, base64_decode, gzinflate, preg_replace, str_replace

These are some malicious PHP functions and have the potential to result in a redirection. But, if you are making any changes to it, please ensure that you have consulted professionals. You need to be careful because any minute, unwanted change can lead to a breakdown of your website. You would not like to have trouble on top of trouble, right?

4. Scan plugins

For any website builder that you use, you must be using various plugins and theme files. Now, these plugins and files are also vulnerable enough to lead your website into a hack zone.

Online tools like Diffchecker can help you compare plugin files with the original. However, if there is an inherent vulnerability of the plugin itself, there are chances that a Zero-Day vulnerability has been exploited.

5. Check the doors

Backdoors are the ones that we are talking about. Much like thieves, hackers use the backdoors too. Just like you would have checked for malicious links in your database, backdoors can also be checked by looking for common PHP functions like:

eval, base64_decode, gzinflate, preg_replace, str_rot13, eval

Please evaluate these functions before making any changes to your website because you can end up breaking your website if the functions that you are removing turn out to be legitimate ones.

How to clean it up?

Now that you know the possible trouble areas, it is the time to get rid of the malicious codes.

  1. Take a backup of your website files and databases.
  2. Login to your server
  3. Quarantine malicious files
  4. Edit the files that you identified
  5. Remove the malware bit that you have identified. Delete the whole file, if it infected.
  6. Use find & sed Linus commands via SSH to identify multiple infected files. For example, find /path/to/your/folder -name “.js” -exec sed -i “s//ReplaceWithMalwareCode*//n&/g” ‘{}’ ;
  7. Make sure all the files and databases are free of any sort of infection.
  8. Purge the website cache.
  9. Verify if the redirection issue has been resolved.

While these steps can help you clean up after a PHP redirect hack, please be extra careful with these changes since they cannot be reversed.


Did the bullet of a redirect hack just miss you? Well, you should not thank your stars for it. Maybe next time you won’t be that lucky. You should be worried about the safety of your website and the toll it takes on your business.

To name a few areas, your SEO takes a direct and the biggest hit. On top of it, if Google ends up blacklisting your website, your entire business is on a pedestal that it would not like to be. The loss of trust from a customer’s end can further put you and your business in a tough spot.

So, to protect yourself from such cybercriminals, it is important that you undergo regular security audits and identify any indicators of a looming problem. Since prevention is indeed better than cure, quip yourself with an all-rounder security solution like Astra to fight off bad guys of the internet, today!

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany