What is the WordPress Redirect Hack?

Is your website redirecting users to unknown and unsecured sites? If yes, then your website might be hacked. Such WordPress hacked redirect attacks are very common where the malware redirects the visitors of a particular website to another spammy website. Recently we noticed that wp-admin is getting redirected to

[getmyfreetraffic.com]

[play6464.sundaylife13.agency]

[hellofromhony.org/]

[searchnotifyfriends.info]

[play6464.sundaylife13.agency]

and other spammy/ads domains. Attackers achieve this by various means and sources of infection. Understanding the causes and consequences of this hack is essential for the complete removal of the infection.

A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites.  Attackers inject certain malicious codes into the websites, and the WordPress website redirects to spammy Sites.

WordPress website facing malicious redirects? Drop us a message on the chat widget, and we’d be happy to help you. Fix spammy WordPress redirects now.

WordPress Hacked Redirect: How was your WordPress website infected?

Attackers use several ways to redirect the user. Some of them are:

  • Attackers can add themselves to your website as ghost admins
  • Redirect users through malicious codes which they inject into the website
  • Attackers might also execute .php codes

The attackers would likely make the malicious codes or files look like legitimate ones. This makes it more difficult to identify and remove them. The codes might be in any of the WordPress core files such as .htaccess and wp-config .php to name a few.

Users also faced a situation when they used Internet Explorer. On Internet Explorer, the malware took the users to websites that forced fake updates of Java and Flash updates. This link led to the downloading of the adobe_flash_player-31254524.exe file. Several security services reported this to be malware.

Wordpress hacked redirect
Sample of the fake flash updates in Internet Explorer

WordPress Redirect Hack: Where is the WordPress Redirect Infection?

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for the following malicious codes:

Some codes even infect .js files, which includes jquery.js file. You can also find some of the malicious codes in the source code of the page.

Steps to find the culprit for the WordPress Spammy Redirections

The first step in removing the malware is to identify it. Attackers might have used several areas to infect, and finding them will help you in removing it.

Further, the attackers might have added themselves as ghost admins on your website. To check the list of users, go to WP admin and verify the authentic list of users. If your website has membership rules then going through all the users might be a little difficult. However, a website with a few users will be easy to scan and find suspicious users. Once you spot the ghost users, you can simply remove them from the list.

Most of the times the code is hidden in a few core files of WordPress. Some of the possible areas of infection are the index.php, index.html, theme files, to name a few. Weird or unknown plugins can also infect the website. You can view the entire list of plugins by going to WP admin and then clicking on ‘Plugins’. If you spot any unidentified or suspicious plugins, remove them.

WordPress hacked redirects? Drop us a message on the chat widget, and we’d be happy to help you. With our Pro Plan billed annually we take complete responsibility of your WordPress website for a year. If something goes south with security we will fix it for no questions asked. Fix my WordPress website now.

Identifying the changes on the core files will also help you in identifying the attack. On analyzing the codes in the files if you find any unknown changes, then you have the source of the attack. However, if the malware was present on your website, then this process will fail to reveal anything. Thus, you need to do authenticity checks on a periodic basis.

One of the most popular instances of such a WordPress hacked redirect was an infectious code injected into the header.php file on the website. The code looks like a bunch of meaningless characters. However, the code redirects the users to a default website and set a cookie with a time limit of one year.

wordpress hacked redirect malware code
Sample of the malicious code injected in the header.php file

In another instance of WordPress site hacked redirect, the attackers injected JavaScript codes into all files with a .js extension. The earlier version of the code only infected the jquery.js files. In all the cases the codes were a part of legitimate files which made it difficult to detect.

WordPress Hacked Redirect: How to clean your website?

The first step is to view your server logs. By going through your server logs, you will find clues regarding any infection that has crept in. You will also be able to investigate unknown IP addresses that might have injected the malicious codes into your website. You can also investigate any unknown POST requests. These requests send data to your website and might have sent some malware to your website, resulting in the WordPress site hacked redirect.

There is always a chance that your theme files might be infected. Thus, instead of using free security services to scan your theme files, manually scanning them is a better option. You can compare your installation files to the original ones by using a comparison tool. If you find any differences then go ahead and find out why it is present and how did it originate.

Also, check our detailed guide How to Fix Unwanted Pop-Ups in your WordPress Website

You will also need to manually compare your plugin files with the original ones and detect any anomalies. If you find any malware, then clean them and install a fresh copy of the plugin. This will remove the WordPress hacked redirect issue on your website.

Go to the infected files and clean them from the back-end. Change the settings to revert to the original settings. Once you do that, it is time for you to plug the breach. You can do this by updating your plugins and themes. Since these are the most common sites for infection. Use a website security service such as Astra to scan your website and take care of any vulnerabilities.

WordPress Hacked Redirect: After cleanup steps to protect your website

Once you complete the cleanup process, you need to update your secret keys and passwords. You might also have to reinstall all the plugins, free and premium ones, to ensure a fresh setup.

A good step would be to use Google Webmaster tool. This is a free tool, and you will receive a lot of information about your website which will let you manage it better. You can also submit unknown malware for evaluation. Once you clean the website, submit it for a review along with all the steps you took for removing the malware. You can do this by following the steps below:

  • Log in to the Google Search Console
  • Verify your ownership of the website
  • Go to Site, then click on the Dashboard option
  • Select the Security Issue

In most of the cases, the infection is in the header.php file of the website. This happens only when the attacker has access to the administrator interface in WordPress and can change the theme file’s settings from there. You can avoid such attacks by disabling the user’s ability to change the PHP files through wp-admin. To change the settings add the following code to the wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

This will protect your website from WordPress hacked redirects, thus avoiding any disruptions on the website up time.

WordPress website redirects to spammy pages? Drop us a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now..

WordPress Malicious Redirects: Conclusion

Once you are done cleaning your website, you are ready to put it back online. Before doing that test the functioning of your website and make sure that there are no anomalies. You will also need to harden your website security. One of the best options is to rely on a premium website security service such as Astra. They will ensure that your website is protected and safe from any WordPress hacked redirect. Astra has features such as remote malware scanning, file injection protection, signup spam protection etc in addition to its firewall and VAPT (Vulnerability Assessment and Penetration Testing). With their latest and comprehensive tools, you can breathe easy.

Related Post – How Astra WordPress Firewall protect your website

Web Application Firewall Magento, Opencart Prestashop

Take an Astra Demo Now

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Sovandeb

Your usual nerd with an avid interest in everything tech. If not writing then following up on cyber security news and preparing for my next article. If there is something new out there you can bet I will write about it.

1 Comment

  1. Thanks for the clear explanation, I am using a custom theme and now I can understand that the issue seems to be with the theme. Thanks. Please let me know any recommendation of a trusted tutorial to clean a WordPress theme! It will be really helpful and I will be grateful to you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close