Fixing WordPress Redirect Hack – WordPress Site Redirecting to Another Site
Is your WordPress website redirecting users to unknown and unsecured sites? If yes, then your website might be hacked. Such WordPress hacked redirect attacks are quite common where the malware redirects the visitors of a particular website to either spammy websites, phishing pages or hacker-controlled domains.
Recently we noticed a lot of WordPress websites being redirected to malicious domains allow-space[.com] & then to adaranth[.com]afu.php & then to some legit website Attackers achieve this by various means and sources of infection. In this article, we will try to figure out the causes, understand the consequences and discuss the complete removal process of WordPress redirect hack.
What is the WordPress Redirect Hack?
A WordPress malware redirect hack is a common form of attack where the visitors to the infected website are automatically redirected to phishing sites or malicious websites.
WordPress Redirect Hack can bring with it serious ramification, such as:
- It could blacken your brand image and reputation as a company.
- WordPress Redirect Hack can mean a huge loss to the traffic, obviously as your hard-earned visitors are being redirected.
- Lesser traffic, in turn, could result in a decreased sale. Thus, affecting the business.
- The websites your visitors are being redirected to could be pitching an illegal commodity, which could land your website and you into the legal drama.
Continue reading this article to the end to know how you can do WordPress malware removal and pull your website out of this misfortune.
WordPress Spam Redirect: How was your WordPress website infected?
Attackers use several ways to redirect the user. Some of them are:
- Redirect users through malicious codes which they inject into the website
- Attackers might also execute .php codes
- Attackers can add themselves to your website as ghost admins
By inserting codes in .htaccess/wp-config.php files
In many cases, we saw that the attackers would hide malicious codes or files in the .htaccess file. These codes sometimes look exactly like the legitimate ones. This makes it more difficult to identify and remove them. Apart from code insertion in .htaccess files, the codes might also be disguised in other WordPress core files such as wp-config .php, wp-vcd, etc to name a few.
The following picture shows the hidden codes, security experts at Astra found in one of our client’s site.
Users also faced a situation when they used Internet Explorer. On Internet Explorer, the malware took the users to websites that forced fake updates of Java and Flash updates. This link led to the downloading of the adobe_flash_player-31254524.exe file. Several security services reported this to be malware.
By adding themselves as ghost admins
Once they land on your website by trespassing some vulnerability, they can add themselves as an admin on the site. Now that they process full power of the site they redirect it to other illegal, obscene or unverified domains.
Where is the WordPress Redirect Infection?
Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for malicious codes:
Some codes even infect .js files, which includes jquery.js file. You can also find some of the malicious codes in the source code of the page.
WordPress Website Redirecting To Malicious Sites – Scanning WordPress For Redirection Malware:
The first step in removing the malware is finding it. Attackers might have used several areas to infect, and identifying them is half the work done in removing it. To find the malware, you can either use a malware scanner or just go about manually.
1. Use a Malware Scanner
A malware scanner, for sure, is a more optimized and easy method of hack detection. In fact, Astra’s malware scanner also allows for one-click malware removal in the scan results.
But, if you do not want the scanner to help you, you can take the long road of manual malware detection as well. This is how you can do that.
2. Check with diagnostic tools
Also, Google Diagnostic Page is a tool, which can help you figure out exactly which part of your website contains the infection. It will also indicate the number of files/directories that are infected.
3. Scan Core Files
The WordPress core files determine the appearance and functionalities of WordPress software. Identifying the changes in the core files will also help you in identifying the attack. Any unknown changes in the files can hint towards the source of the attack.
Most of the time the code is hidden in a few core files of WordPress. Some of the possible areas of infection are index.php, index.html, theme files, etc.
One of the most popular instances of such a WordPress hacked redirect was an infectious code injected into the header.php file on the website. The code looks like a bunch of meaningless characters. Yet the code redirects the users to a default website. It also sets a cookie with a time limit of one year. That’s scary, right?
You can also look for known malicious codes in keywords like ‘eval’ or ‘base64_decode’. Although most malicious codes contain this, it can’t be claimed certainly that every piece of code with these is a malicious code. Many a time users delete good codes suspecting it to be a bad one.
4. Scan WP Admin for unknown admins
Another known way the attacker infects is by adding themselves as ghost admins. Go through the list of current users /admins on your WordPress website.
If your website has membership rules then going through all the users might be a little difficult. However, a website with a few users will be easy to scan and find suspicious users. Once you spot the ghost users, you can simply remove them from the list.
5. Scan Plugins files
Check for plugin vulnerability
Insecure third-party plugins are a common cause of infection. You can view the entire list of plugins in your WP admin panel. Log into your wp-admin, click on ‘Plugins’ in the left panel. In case you spot any unidentified or suspicious plugins, remove them.
If you are unable to detect the vulnerable plugins right away, check the WordPress forum. Sometimes a plugin vulnerability is at the bottom of a WordPress hacked redirect. So, searching the forum will generally let you know which plugins are being exploited at the time.
A plugin exploit, usually targets large chunks of WordPress websites; you might not be alone in this. On forums especially, you will the other victims asking questions or voicing their concerns.
Comparing with a fresh file copy
Use online tools (For e.g. diff checker) to compare your plugin files with the original ones. For this, you can download the same plugins from the WordPress plugin repository. And start matching your installed plugins against these.
However, this also has a set of limitations. Since all plugins in the repository are not updated every time a new version is pushed out, it’s difficult to find the most secure version.
6. Scan Themes files
There is always a chance that your theme files might be infected. Thus, instead of using free security services to scan your theme files, manually scanning them is a better option.
You can compare your installation files to the original ones by using a comparison tool. If you find any differences then go ahead and find out why it is present and how did it originate.
WordPress hacked redirects? Drop us a message on the chat widget, and we’d be happy to help you. With our Pro Plan billed annually, we take complete responsibility of your WordPress website for a year. If something goes south with the security we will fix it for no questions asked. Fix my WordPress website now.
WordPress Hacked Redirect: How to clean your website?
Now that the scanning is done. Let’s proceed to the malware removal process. You probably have found the modifications/malware. If not, then read on.
Manual Malware Cleanup
- The first step is to view your server logs. By going through your server logs, you will find clues regarding any infection that has crept in. You will also be able to investigate unknown IP addresses that might have injected the malicious codes into your website. You can also investigate any unknown POST requests. These requests send data to your website and might have sent some malware to your website, resulting in the WordPress site hacked redirect. And promptly remove them.
- Also, there are commands that you can run on your website to find where your website got compromised. Then, you can go on to manually remove them to recover your website. A few such commands you may make use of are the Grep and Find commands, which work through an ssh client.
- Next, go to the infected files and clean them from the back-end. Change the settings to revert to the original settings. Once you do that, it is time for you to plug the breach. You can do this by updating your plugins and themes. Since these are the most common sites for infection.
Getting Malware Cleanup From a professional
- Professionals like Astra web Security can help you here. With Astra’s Malware Cleanup, your website will be recovered from the cause plus you will be beneficent to have a subscription of its continuous and comprehensive security monitoring with its Firewall and automated Malware Scanner.
WordPress website redirecting to spam pages? Drop us a message on the chat widget, and we’d be happy to help you. Fix my WordPress website now.
WordPress Hacked Redirect: After cleanup steps to protect your website
Once you have completed the cleanup process, you need to update your secret keys and passwords. You might also have to reinstall all the plugins, free and premium ones, to ensure a fresh setup.
A good step would be to use Google Webmaster tool. This is a free tool, and you will receive a lot of information about your website which will let you manage it better. You can also submit unknown malware for evaluation. Once you clean the website, submit it for a review along with all the steps you took for removing the malware. You can do this by following the steps below:
- Log in to the Google Search Console
- Verify your ownership of the website
- Go to Site, then click on the Dashboard option
- Select the Security Issue
In most of the cases, the infection is in the header.php file of the website. This happens only when the attacker has access to the administrator interface in WordPress and can change the theme file’s settings from there. You can avoid such attacks by disabling the user’s ability to change the PHP files through wp-admin. To change the settings add the following code to the wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
This will protect your website from WordPress hacked redirects, thus avoiding any disruptions on the website uptime.
Also, check our detailed guide How to Fix Unwanted Pop-Ups in your WordPress Website
WordPress Malicious Redirects: Conclusion
Once you are done cleaning your website, you are ready to put it back online. Before doing that test the functioning of your website and make sure that there are no anomalies. You will also need to harden your website security. Follow this complete WordPress security guide to enhance your website’s security.
With these basic security taken care of, install a premium website security service such as Astra to monitor your website’s security in real-time. This will ensure that your website is protected and safe from any WordPress hacked redirect. Astra has features such as remote malware scanning, file injection protection, signup spam protection, etc in addition to its firewall and VAPT (Vulnerability Assessment and Penetration Testing). With their latest and comprehensive tools, you can breathe easy.
Also, I recommend you to follow this video step by step to secure your WordPress site.
Related Post – How Astra WordPress Firewall protect your website