Is your WordPress website redirecting users to unknown and unsecured sites? If yes, then your website might be hacked. Such WordPress hacked redirect attacks are quite common where the malware redirects the visitors of a particular website to either spammy websites, phishing pages or hacker controlled domains. Recently we noticed that wp-admin is getting redirected to spammy ads & fake CAPTCHA pages. Attackers achieve this by various means and sources of infection. In this article, we will try to figure out the causes, understand the consequences and discuss the complete removal process of WordPress redirect hack.

What is the WordPress Redirect Hack?

A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites.

WordPress Redirect Hack can bring with it serious ramification, such as:

  • It could blacken your brand image and reputation as a company.
  • WordPress Redirect Hack can mean a huge loss to the traffic, obviously as your hard earned visitors are being redirected.
  • Lesser traffic, in turn, could result in a decreased sale. Thus, affecting the business.
  • The websites your visitors are being redirected to could be pitching an illegal commodity, which could land your website and you into the legal drama.
WordPress Website redirecting to 3newsfile.club
Website redirecting to 3newsfile.club

Continue reading this article to the end to know how you can do WordPress malware removal and pull your website out of this misfortune.

Drop us a message on the chat widget, and we’d be happy to help you. Fix spammy WordPress redirects now.

WordPress Hacked Redirect: How was your WordPress website infected?

Attackers use several ways to redirect the user. Some of them are:

  • Redirect users through malicious codes which they inject into the website
  • Attackers might also execute .php codes
  • Attackers can add themselves to your website as ghost admins

By inserting codes in .htaccess/wp-config.php files

In many cases, we saw that the attackers would hide malicious codes or files in the .htaccess file. These codes sometimes look exactly like the legitimate ones. This makes it more difficult to identify and remove them. Apart from code insertion in .htaccess files, the codes might also be disguised in other WordPress core files such as wp-config .php, wp-vcd, etc to name a few.

The following picture shows the hidden codes, security experts at Astra found in one of our client’s site.

Malicious codes in .htaccess - WordPress Hacked Redirect
Malicious codes in .htaccess

By inserting JavaScript in WP plugin files

We have also seen cases of WordPress websites being hacked by JS insertion in plugin vulnerabilities. In an attempt to hide the details, these JavaScripts are often inserted in a string format rather than a character format to look more complex. Here is an example of that

JavaScript in WordPress
An example of malicious JavaScript in WordPress

Users also faced a situation when they used Internet Explorer. On Internet Explorer, the malware took the users to websites that forced fake updates of Java and Flash updates. This link led to the downloading of the adobe_flash_player-31254524.exe file. Several security services reported this to be malware.

Wordpress hacked redirect
Sample of the fake flash updates in Internet Explorer

By adding themselves as ghost admins

Once they land on your website by trespassing some vulnerability, they can add themselves as an admin on the site. Now that they process full power of the site they redirect it to other illegal, obscene or unverified domains.

Where is the WordPress Redirect Infection?

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for the following malicious codes:

Some codes even infect .js files, which includes jquery.js file. You can also find some of the malicious codes in the source code of the page.

Scanning for WordPress Redirection Malware:

The first step in removing the malware is finding it. Attackers might have used several areas to infect, and identifying them will help you in getting rid of it.

Scan Core Files

  • The WordPress core files determine the appearance and functionalities of WordPress software. Identifying the changes in the core files will also help you in identifying the attack. On analyzing the codes in the files if you find any unknown changes, then you have the source of the attack. However, if the malware was present on your website, then this process will fail to reveal anything. Thus, you need to do authenticity checks on a periodic basis.
    Also, Google Diagnostic Page is a tool, which can help you figure out exactly which part of your website contains the infection. It will also indicate the number of files/directories that are infected.
  • Most of the times the code is hidden in a few core files of WordPress. Some of the possible areas of infection are index.php, index.html, theme files, etc.
    One of the most popular instances of such a WordPress hacked redirect was an infectious code injected into the header.php file on the website. The code looks like a bunch of meaningless characters. However, the code redirects the users to a default website and set a cookie with a time limit of one year.

    wordpress hacked redirect malware code
    Sample of the malicious code injected in the header.php file
  • You can also look for known malicious codes in keywords like ‘eval’ or ‘base64_decode’. Although most malicious codes contain this, it is not to be said certainly that every piece of code containing this is a malicious code. Many a time users delete good codes suspecting it to be a bad one.
  • In another instance of WordPress site hacked redirect, the attackers injected JavaScript codes into all files with a .js extension. The earlier version of the code only infected the jquery.js files. In all the cases the codes were a part of legitimate files which made it difficult to detect.

Scan WP Admin

  • Another way the attacker can infect is by adding themselves as ghost admins on your website. To check the list of users, go to WP admin and verify the authentic list of users. If your website has membership rules then going through all the users might be a little difficult. However, a website with a few users will be easy to scan and find suspicious users. Once you spot the ghost users, you can simply remove them from the list.

Scan Plugins & Themes

  • Unsecured or unknown plugins can also infect your website. You can view the entire list of plugins by going to WP admin and then clicking on ‘Plugins’. In case you spot any unidentified or suspicious plugins, remove them.
  • You will also need to manually compare your plugin files with the original ones and detect any anomalies. For this, you can download the same plugins from the WordPress plugin repository and match your installed plugins against these. However, this also has its set of limitations as all plugins in the repository are not updated when a new version is pushed out.
  • There is always a chance that your theme files might be infected. Thus, instead of using free security services to scan your theme files, manually scanning them is a better option. You can compare your installation files to the original ones by using a comparison tool. If you find any differences then go ahead and find out why it is present and how did it originate.

WordPress hacked redirects? Drop us a message on the chat widget, and we’d be happy to help you. With our Pro Plan billed annually, we take complete responsibility of your WordPress website for a year. If something goes south with the security we will fix it for no questions asked. Fix my WordPress website now.

WordPress Hacked Redirect: How to clean your website?

Now that the scanning is done. Let’s proceed to the malware removal process. You probably have found the modifications/malware. If not, then read on.

Manual Malware Cleanup

  • The first step is to view your server logs. By going through your server logs, you will find clues regarding any infection that has crept in. You will also be able to investigate unknown IP addresses that might have injected the malicious codes into your website. You can also investigate any unknown POST requests. These requests send data to your website and might have sent some malware to your website, resulting in the WordPress site hacked redirect. And promptly remove them.
  • Also, there are commands that you can run on your website to find where your website got compromised. Then, you can go on to manually remove them to recover your website. A few such commands you may make use of are the Grep and Find commands, which work through an ssh client.
  • Next, go to the infected files and clean them from the back-end. Change the settings to revert to the original settings. Once you do that, it is time for you to plug the breach. You can do this by updating your plugins and themes. Since these are the most common sites for infection.

Getting Malware Cleanup From a professional

  • Professionals like Astra web Security can help you here. With Astra’s Malware Cleanup, your website will be recovered from the cause plus you will be beneficent to have a subscription of its continuous and comprehensive security monitoring with its Firewall and automated Malware Scanner.

WordPress website redirects to spammy pages? Drop us a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now.

WordPress Hacked Redirect: After cleanup steps to protect your website

Once you have completed the cleanup process, you need to update your secret keys and passwords. You might also have to reinstall all the plugins, free and premium ones, to ensure a fresh setup.

A good step would be to use Google Webmaster tool. This is a free tool, and you will receive a lot of information about your website which will let you manage it better. You can also submit unknown malware for evaluation. Once you clean the website, submit it for a review along with all the steps you took for removing the malware. You can do this by following the steps below:

  • Log in to the Google Search Console
  • Verify your ownership of the website
  • Go to Site, then click on the Dashboard option
  • Select the Security Issue

In most of the cases, the infection is in the header.php file of the website. This happens only when the attacker has access to the administrator interface in WordPress and can change the theme file’s settings from there. You can avoid such attacks by disabling the user’s ability to change the PHP files through wp-admin. To change the settings add the following code to the wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

This will protect your website from WordPress hacked redirects, thus avoiding any disruptions on the website up time.

Also, check our detailed guide How to Fix Unwanted Pop-Ups in your WordPress Website

WordPress Malicious Redirects: Conclusion

Once you are done cleaning your website, you are ready to put it back online. Before doing that test the functioning of your website and make sure that there are no anomalies. You will also need to harden your website security. One of the best options is to rely on a premium website security service such as Astra. They will ensure that your website is protected and safe from any WordPress hacked redirect. Astra has features such as remote malware scanning, file injection protection, signup spam protection etc in addition to its firewall and VAPT (Vulnerability Assessment and Penetration Testing). With their latest and comprehensive tools, you can breathe easy.

Related Post – How Astra WordPress Firewall protect your website

Web Application Firewall Magento, Opencart Prestashop

Take an Astra Demo Now

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Sovandeb

Your usual nerd with an avid interest in everything tech. If not writing then following up on cyber security news and preparing for my next article. If there is something new out there you can bet I will write about it.

1 Comment

  1. Thanks for the clear explanation, I am using a custom theme and now I can understand that the issue seems to be with the theme. Thanks. Please let me know any recommendation of a trusted tutorial to clean a WordPress theme! It will be really helpful and I will be grateful to you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close