Is your WordPress website redirecting users to unknown and unsecured sites? If yes, then your website might be hacked. Such WordPress hacked redirect attacks are quite common where the malware redirects the visitors of a particular website to either spammy websites, phishing pages or hacker-controlled domains.

Recently we noticed a lot of WordPress websites being redirected to malicious domains allow-space[.com] & then to adaranth[.com]afu.php & then to some legit website Attackers achieve this by various means and sources of infection. In this article, we will try to figure out the causes, understand the consequences and discuss the complete removal process of WordPress redirect hack.

What is the WordPress Redirect Hack?

A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites.

WordPress Redirect Hack can bring with it serious ramification, such as:

  • It could blacken your brand image and reputation as a company.
  • WordPress Redirect Hack can mean a huge loss to the traffic, obviously as your hard-earned visitors are being redirected.
  • Lesser traffic, in turn, could result in a decreased sale. Thus, affecting the business.
  • The websites your visitors are being redirected to could be pitching an illegal commodity, which could land your website and you into the legal drama.

Continue reading this article to the end to know how you can do WordPress malware removal and pull your website out of this misfortune.

WordPress redirect hack

WordPress Spam Redirect: How was your WordPress website infected?

Attackers use several ways to redirect the user. Some of them are:

  • Redirect users through malicious codes which they inject into the website
  • Attackers might also execute .php codes
  • Attackers can add themselves to your website as ghost admins

By inserting codes in .htaccess/wp-config.php files

In many cases, we saw that the attackers would hide malicious codes or files in the .htaccess file. These codes sometimes look exactly like the legitimate ones. This makes it more difficult to identify and remove them. Apart from code insertion in .htaccess files, the codes might also be disguised in other WordPress core files such as wp-config .php, wp-vcd, etc to name a few.

The following picture shows the hidden codes, security experts at Astra found in one of our client’s site.

Malicious codes in .htaccess - WordPress Hacked Redirect
Malicious codes in .htaccess

By inserting JavaScript in WP plugin files

We have also seen cases of WordPress websites being hacked by JS insertion in plugin vulnerabilities. In an attempt to hide the details, these JavaScripts are often inserted in a string format rather than a character format to look more complex. Here is an example of that

JavaScript in WordPress
An example of malicious JavaScript in WordPress

Users also faced a situation when they used Internet Explorer. On Internet Explorer, the malware took the users to websites that forced fake updates of Java and Flash updates. This link led to the downloading of the adobe_flash_player-31254524.exe file. Several security services reported this to be malware.

Wordpress hacked redirect
Sample of the fake flash updates in Internet Explorer

By adding themselves as ghost admins

Once they land on your website by trespassing some vulnerability, they can add themselves as an admin on the site. Now that they process full power of the site they redirect it to other illegal, obscene or unverified domains.

Where is the WordPress Redirect Infection?

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for malicious codes:

Some codes even infect .js files, which includes jquery.js file. You can also find some of the malicious codes in the source code of the page.

WordPress Website Redirecting To Malicious Sites – Scanning  WordPress For Redirection Malware:

The first step in removing the malware is finding it. Attackers might have used several areas to infect, and identifying them is half the work done in removing it. To find the malware, you can either use a malware scanner or just go about manually.

1. Use a Malware Scanner

A malware scanner, for sure, is a more optimized and easy method of hack detection. In fact, Astra’s malware scanner also allows for one-click malware removal in the scan results.

But, if you do not want the scanner to help you, you can take the long road of manual malware detection as well. This is how you can do that.

2. Check with diagnostic tools

Also, Google Diagnostic Page is a tool, which can help you figure out exactly which part of your website contains the infection. It will also indicate the number of files/directories that are infected.

3. Scan Core Files

The WordPress core files determine the appearance and functionalities of WordPress software. Identifying the changes in the core files will also help you in identifying the attack. Any unknown changes in the files can hint towards the source of the attack.

Most of the time the code is hidden in a few core files of WordPress. Some of the possible areas of infection are index.php, index.html, theme files, etc.

One of the most popular instances of such a WordPress hacked redirect was an infectious code injected into the header.php file on the website. The code looks like a bunch of meaningless characters. Yet the code redirects the users to a default website. It also sets a cookie with a time limit of one year. That’s scary, right?

wordpress hacked redirect malware code
Sample of the malicious code injected in the header.php file

You can also look for known malicious codes in keywords like ‘eval’ or ‘base64_decode’. Although most malicious codes contain this, it can’t be claimed certainly that every piece of code with these is a malicious code. Many a time users delete good codes suspecting it to be a bad one.

In another instance of WordPress site hacked redirect, the attackers injected JavaScript codes into all files with a .js extension. The earlier version of the code only infected the jquery.js files. In all the cases the codes were a part of legitimate files which made it difficult to detect.

4. Scan WP Admin for unknown admins

Another known way the attacker infects is by adding themselves as ghost admins. Go through the list of current users /admins on your WordPress website.

If your website has membership rules then going through all the users might be a little difficult. However, a website with a few users will be easy to scan and find suspicious users. Once you spot the ghost users, you can simply remove them from the list.

5. Scan Plugins files

Check for plugin vulnerability

Insecure third-party plugins are a common cause of infection. You can view the entire list of plugins in your WP admin panel. Log into your wp-admin, click on ‘Plugins’ in the left panel. In case you spot any unidentified or suspicious plugins, remove them.

If you are unable to detect the vulnerable plugins right away, check the WordPress forum. Sometimes a plugin vulnerability is at the bottom of a WordPress hacked redirect. So, searching the forum will generally let you know which plugins are being exploited at the time.

A plugin exploit, usually targets large chunks of WordPress websites; you might not be alone in this. On forums especially, you will the other victims asking questions or voicing their concerns.

Comparing with a fresh file copy

Use online tools (For e.g. diff checker) to compare your plugin files with the original ones. For this, you can download the same plugins from the WordPress plugin repository. And start matching your installed plugins against these.

However, this also has a set of limitations. Since all plugins in the repository are not updated every time a new version is pushed out, it’s difficult to find the most secure version.

6. Scan Themes files

There is always a chance that your theme files might be infected. Thus, instead of using free security services to scan your theme files, manually scanning them is a better option.

You can compare your installation files to the original ones by using a comparison tool. If you find any differences then go ahead and find out why it is present and how did it originate.

WordPress hacked redirects? Drop us a message on the chat widget, and we’d be happy to help you. With our Pro Plan billed annually, we take complete responsibility of your WordPress website for a year. If something goes south with the security we will fix it for no questions asked. Fix my WordPress website now.

WordPress Hacked Redirect: How to clean your website?

Now that the scanning is done. Let’s proceed to the malware removal process. You probably have found the modifications/malware. If not, then read on.

Manual Malware Cleanup

  • The first step is to view your server logs. By going through your server logs, you will find clues regarding any infection that has crept in. You will also be able to investigate unknown IP addresses that might have injected the malicious codes into your website. You can also investigate any unknown POST requests. These requests send data to your website and might have sent some malware to your website, resulting in the WordPress site hacked redirect. And promptly remove them.
  • Also, there are commands that you can run on your website to find where your website got compromised. Then, you can go on to manually remove them to recover your website. A few such commands you may make use of are the Grep and Find commands, which work through an ssh client.
  • Next, go to the infected files and clean them from the back-end. Change the settings to revert to the original settings. Once you do that, it is time for you to plug the breach. You can do this by updating your plugins and themes. Since these are the most common sites for infection.

Getting Malware Cleanup From a professional

  • Professionals like Astra web Security can help you here. With Astra’s Malware Cleanup, your website will be recovered from the cause plus you will be beneficent to have a subscription of its continuous and comprehensive security monitoring with its Firewall and automated Malware Scanner.

WordPress website redirecting to spam pages? Drop us a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now.

WordPress Hacked Redirect: After cleanup steps to protect your website

Once you have completed the cleanup process, you need to update your secret keys and passwords. You might also have to reinstall all the plugins, free and premium ones, to ensure a fresh setup.

A good step would be to use Google Webmaster tool. This is a free tool, and you will receive a lot of information about your website which will let you manage it better. You can also submit unknown malware for evaluation. Once you clean the website, submit it for a review along with all the steps you took for removing the malware. You can do this by following the steps below:

  • Log in to the Google Search Console
  • Verify your ownership of the website
  • Go to Site, then click on the Dashboard option
  • Select the Security Issue

In most of the cases, the infection is in the header.php file of the website. This happens only when the attacker has access to the administrator interface in WordPress and can change the theme file’s settings from there. You can avoid such attacks by disabling the user’s ability to change the PHP files through wp-admin. To change the settings add the following code to the wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

This will protect your website from WordPress hacked redirects, thus avoiding any disruptions on the website uptime.

Also, check our detailed guide How to Fix Unwanted Pop-Ups in your WordPress Website

WordPress Malicious Redirects: Conclusion

Once you are done cleaning your website, you are ready to put it back online. Before doing that test the functioning of your website and make sure that there are no anomalies. You will also need to harden your website security. Follow this complete WordPress security guide to enhance your website’s security.

With these basic security taken care of, install a premium website security service such as Astra to monitor your website’s security in real-time. This will ensure that your website is protected and safe from any WordPress hacked redirect. Astra has features such as remote malware scanning, file injection protection, signup spam protection, etc in addition to its firewall and VAPT (Vulnerability Assessment and Penetration Testing). With their latest and comprehensive tools, you can breathe easy.

Also, I recommend you to follow this video step by step to secure your WordPress site.

Related Post – How Astra WordPress Firewall protect your website

Take an Astra Demo Now

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.


  1. Nowadays, after some viruses, hacking of websites are now easier and many hackers always try to hack websites even Gov websites. We should always scan our websites from malware and keep them secure, I like your guide about helping people to recover their hacked WordPress blog, Also, they have mentioned about scanning and keeping it safe.

  2. How to fix WordPress admin dashboard (wp-admin) hack - Astra Web Security Blog - Reply

    […] not taken – a hacker may be able to launch Pharma attacks, Phishing pages, Japanese SEO spam, Redirection Malware etc. through WordPress Admin panel […]

  3. Removing wp-vcd.php Malware Attack in WordPress - Astra Web Security - Reply

    […] Pages on your website are being redirected to shady websites […]

  4. WordPress wp-config.php Hack. How to Fix Hacked WordPress Files? - Reply

    […] footer.php is an important file that can be targeted by the attackers. It is often used for malware redirects and displaying spam content  as was the case of Redirect Malware. In many cases, […]

  5. WordPress Yuzo Plugin Exploit- Redirecting Users to Ads Website - Reply

    […] Related Article : WordPress Redirect Hack […]

  6. Thanks for the clear explanation, I am using a custom theme and now I can understand that the issue seems to be with the theme. Thanks. Please let me know any recommendation of a trusted tutorial to clean a WordPress theme! It will be really helpful and I will be grateful to you.

  7. […] can be an indication or a symptom of a much bigger problem in your website. Probably a hack that redirects to several spammy pages. It could also happen that your website is being used as a host for these attacks and hence the […]

  8. Comprehensive detailed writeup. I was able to resolve my issue. Thanks 🙂

  9. Naman Rastogi

    Hi Rana,

    Thanks for your kind words. You can refer to these two blog post for malware removal

    Once the malware is removed, please follow our security guide

    Let me know if you have any questions.

  10. Delightful information, i was transferring from weebly to WordPress so this is what I needed!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner