WordPress Hacked Redirect? How To Clean Website Redirect Malware

Sep 5, 2020


WordPress Hacked Redirect? How To Clean Website Redirect Malware

Sep 5, 2020


Is your website getting redirected to another site?

Or worse…

Is your WordPress Dashboard redirecting to another site?

You have been infected with the WordPress hacked redirect malware.

You think that because you have a malware scanner in place, you are safe. But here’s what Quttera flags:

Threat name: Heur.AlienFile.gen

What does that even mean?

Apparently, that’s what they call the WordPress hacked redirect issue.

It’s also possible that you tried cleaning your website already and it just doesn’t seem to work.

Here’s what doesn’t and won’t work:

  • Deactivating or deleting the plugin or theme that caused the infection
  • Using a backup to restore your website to a previous version
  • Updating WordPress or your themes and plugins

On the surface, this seems like a harmless, annoying prank.

The reality is much more sinister.

TL;DR: Hacked redirect malware is super-difficult to pinpoint and remove manually. The good news is that you can clean up your website in less than 60 seconds, using a malware removal tool.

The WordPress hacked redirect malware:

  • Steals your traffic and destroys your reputation

malicious javascript redirect theme modification

Google notifying site may be hacked

web host email site flagged for malware

That’s not even the worst part.

There are literally hundreds of variants of the WordPress hacked redirect malware. The more sophisticated the hacker, the harder it is to find this malware and remove it.

Also, because it’s such a visible hack… 

… you think that the worst part is that your website redirects to another site.

But in reality, the most dangerous part is that the WordPress hacked redirect malware also creates WordPress user accounts with admin privileges.

This means that the hacker can reinfect your websites just as many times as you can clean it.

Now imagine using a cleaning service like Wordfence that charges you for each cleanup even if it is a repeat hack. The hacked redirect malware will essentially bleed you dry.

Wordfence also comes up with way too many flags for WordPress hacked redirect:

* Unknown file in WordPress core: wp-admin/css/colors/blue/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/coffee/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/ectoplasm/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/light/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/midnight/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/ocean/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/sunrise/php.ini
* Unknown file in WordPress core: wp-admin/css/php.ini
* Unknown file in WordPress core: wp-admin/images/php.ini
* Unknown file in WordPress core: wp-admin/includes/php.ini
* Unknown file in WordPress core: wp-admin/js/php.ini
* Unknown file in WordPress core: wp-admin/maint/php.ini
* Unknown file in WordPress core: wp-admin/network/php.ini
* Unknown file in WordPress core: wp-admin/php.ini

This is how Wordfence tells you that you have the WordPress hacked redirect malware.

Again, what exactly are you even supposed to do with that information?

You need a permanent cleanup for the WordPress hacked redirect malware now.

The longer you wait, the more you will suffer at the hands of the malware.

Fortunately, you CAN clean your website and we’re going to show you how.

Let’s dive right in.

How Do You Know For Sure That You Have the WordPress Hacked Redirect Malware?

There are way too many ways in which you can get infected with the WordPress hacked redirect malware.

So, how do you even know for sure if you have been infected with that particular virus?

Do a litmus test.

If your answer to any of the following is, “Yes,” then you have the redirect malware:

  • You have a visible redirect to another website for all pages all the time
  • Google Search Results flag spam content for your website
  • You have unidentified push notifications on your website
  • There is malicious javascript code in the index.php file
  • The .htaccess file has unidentified code in it
  • There are garbage files with suspicious names on your server

This might sound totally crazy, but the first check is actually the least common.

As we mentioned before, the WordPress hacked redirect issue has far too many variants to pinpoint (more on this later). Even if you have full access to the website, you may never find an actual piece of malicious code.

How to Clean Your Website from WordPress Hacked Redirect

There are 3 ways in which you can clean your website after you get the WordPress hacked redirect.

  • Method #2: Use an Online Security Scanner (NOT RECOMMENDED)
  • Method #3: Clean the Website Manually (Downright Impossible for the Hacked Redirect Malware)

Let’s take a look at each in turn.

Method #1: Use a Malware Scanner and Cleaner Plugin

Trust us when we say it: even if you have to spend money on a plugin, that’s exactly what you want to do if you get infected with a Malware that redirects your website to Spam.

You better pray to every God every religion has to offer that a plugin can clean up your website.

If for any reason you can’t get a malware scanner and cleaner that solves this problem, it’s really much better to delete your website and create a new one.

It doesn’t even matter how vital your website is for your business.

That’s how frustrating it is to clean your website manually.

We recommend using a powerful malware scanner and cleaner such as MalCare.

Although this might be slightly biased, we wholeheartedly recommend using MalCare to scan and clean your site for WordPress hacked redirect malware.


This is the quickest and easiest way to find, remove and fix the WordPress redirection issue without breaking your website.

You can get unlimited FREE server-level scans to make sure that your website is really infected. 

Then, you can simply upgrade to the premium version to clean your website in less than 60 seconds with one click!

Afterwards, you can use MalCare’s WordPress security hardening methods to make sure that your website doesn’t get hacked again.

Here’s the step-by-step process you’ll need to follow:

STEP 1: Sign up for MalCare

upload plugin

STEP 2: Run the MalCare scanner:

malcare security

STEP 3: Hit the ‘Clean’ Button to automatically clean your site.

malcare auto-clean

STEP 4: Finally, head over to ‘Apply Hardening’ and secure your website against future threats

malcare apply hardening

That’s all you need to do.

WordPress Redirect Hack is only one of many malwares that MalCare is equipped to automatically detect and clean.

Now, if you’re not going to use a premium scanner and cleaner like MalCare, then you probably have a security plugin installed such as:

  • Sucuri
  • Wordfence
  • Quterra
  • Astra Web Security
  • WebARX Security

While none of these security plugins can actually offer one-click auto-cleanups backed by a learning algorithm, you will get security personnel cleaning your website manually.

Full Disclosure! With any of these plugins:

  • Do not expect a quick cleanup. Manual cleanups take time.
  • Cleanups are charged additionally for repeat hacks. You won’t get unlimited cleanups like MalCare customers.
  • You may not be able to remove the malware completely. Most of these plugins will overlook the backdoors left by the hacker.

But using any of these plugins is a better option than using a web scanner or doing a full manual sweep of your WordPress site.

If you’re completely against a paid solution because you’ve been burnt by one in the past, keep reading. We’ll give you two more options to try although we don’t recommend either.

Method #2: Use an Online Security Scanner

As a preliminary check, you can use Sucuri SiteCheck or Google Safe Browsing.

These are both online security scanners that run a very weak check of your website’s HTML files. Online scanners can only check the parts of your website that are visible to a browser. Then the scanner runs those code snippets against their database of known malware signatures.

Instead, scan your website using MalCare. We offer a much deeper scan in our 7-day FREE trial.

Online security scanners can’t check your server or WordPress core files for malware.

To be very clear, they are not completely useless.

Web-based security scanners can spot links that may have been blacklisted by search engines. You may or may not be able to find snippets of common malware in some rare instances. But if you want to pinpoint and clean your website, you need a server-level malware scanner.

The way in which these scanners work is very simple:

  • Head over to the scanner
  • Drop the link to your website for the scanner to check
  • Wait for the scanner to come up with some results

Again, using a superficial scanner is not going to help your situation

You might get a few pointers on a couple of bad links to clean, but the hacker will still have access to your WordPress website. In a couple of days, you will be reinfected with the WordPress hacked redirect malware.

Method #3: Scan and Clean Your Site Manually

We’ll be real upfront here.

Trying to clean your website manually is a bona-fide way to wreck it completely.

We’re not joking here.

Seasoned database administrators with 10+ years of experience are terrified of having to clean up a WordPress database manually. Complete WordPress pros will tell you to never play around with the WordPress core files and the .htaccess file.

Unfortunately, the WordPress hacked redirect malware usually affects:

  • Core WordPress Files
    • index.php
    • wp-config.php
    • wp-settings.php
    • wp-load.php
    • .htaccess

  • Theme Files
    • footer.php
    • header.php
    • functions.php

  • Javascript Files (This could be ALL javascript on your website or specific files)

  • WordPress Database
    • wp_posts
    • wp_options

  • Fake Favicon.ico That Cause (These files contain malicious PHP code):
    • URL injections
    • Creation of administrator accounts
    • Installation of spyware/trojans 
    • Creation of phishing pages

That’s a LOT of ground to cover.

So, if you’re the adventurous type and you’re dead set on scanning and cleaning your website manually, take a full website backup.

Do it. 

Do it right now.

You can use BlogVault to take backups with one-click restores just in case something goes wrong. It’s one of the best backup plugins you’ll find.

Honestly, it doesn’t matter right now if you want to use another backup plugin as long as you take a backup right now.

Next, you want to follow these steps exactly as we go along.

Part 1: Check WordPress Core Files

Your WordPress Core files are going to be the primary target for many variants of the WordPress hacked redirect malware.

Step 1: Check the WordPress version on your site

This nifty article by Kinsta will show you how to check the WordPress version. Even if you can’t access your WordPress admin dashboard, you can still find your WordPress version.

Step 2: Download your WordPress files using cPanel

You can download your files from cPanel directly. Head over to cPanel and use the Backup Wizard to download the files.

This article by Clook will show you how.

Step 3: Download a pristine copy of the version of WordPress on your site

Download the original WordPress files here.

Step 4: Run a Diffchecker

This last step is not going to make you happy. You’ll have to upload both versions of each file manually to https://www.diffchecker.com/ and run the diffcheck.

Yeah, it’s going to take a while and it’s a pain to do. To be honest, if you’re not 100% sure about what you are seeing, it’s a very bad idea to delete the differences. It could end up wrecking your site.

Part 2: Check for Backdoors

Backdoors are exactly what they sound like – entry points for hackers to access your website without you knowing about it.

Search your website for malicious PHP functions such as:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

NOTE: These functions are NOT evil by default. Many PHP plugins use them for legitimate reasons. So, again, if you’re not sure what you are looking at, do not delete stuff from the code. Just in case you deleted something and it broke your site, use that backup to restore your site.

The WP hacked redirect malware can actually leave multiple backdoors. Finding them all manually is a real pain. Again, we recommend installing MalCare straight away.

Part 3: Remove Any Unknown Admin Accounts

Of course, this is assuming that you can actually access your WordPress dashboard, but if you can:

  • Head over to Users
  • Scan for any suspicious admins and delete them
  • Reset the passwords for all admin accounts
  • Go to Settings >> General
  • Disable Membership Option for ‘Anyone can register’
  • Set Default Membership Role to ‘Subscriber’

For good measure, you should also change your WordPress Salts and Security Keys.

WordPress Site hacked redirect issues actually survive in your WordPress site even after a cleanup because of these fake admin accounts.

Part 4: Scan Plugin Files

You can check the plugins in the same way you checked WordPress core files. Head over to WordPress.org and download the original plugins. Then run the diffchecker again for all plugin files to discover the WordPress hacked redirect malware.

Yes, this is annoying. But more importantly, this is a really limited option. There may not even be a plugin update that covers the vulnerability.

Not cool.

Part 5: Scan and Clean Your Database

This is probably the worst part of cleaning up the WordPress hacked redirect malware from your site. 

But it’s almost over.

Scanning the database is pretty similar to scanning for backdoors.

Search for keywords such as:

  • <script>
  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

Important: DO NOT RANDOMLY DELETE STUFF FROM YOUR DATABASE. Even a single space out of place can wreck your entire site.

But if you managed to clean your site manually without a hitch, give us a call. If nothing else, we’d really like to hire you!

And if you gave up halfway through the manual WordPress hacked redirect cleanup, trust us when we say it, it’s not just you. The WordPress hacked redirect issue is one of the hardest hacks to fix.

Just use MalCare to clean up your site in 60 seconds and get back to your life.

The rest of this article is about how you got hacked in the first place and the different variants of the WordPress hacked redirect issue.

Feel free to go through it all and understand this malware better. It’ll help you in the long run.

The Real Reason Why the Malicious Redirects Issue Is Terrifying

Long story short: There are way too many variations of the Redirect malware that keeps redirecting your website to Spam.

hack types and symptoms

There’s diversity for you!

But that’s only one half of the problem.

The other half is that your website can get infected with WordPress hacked redirect in a dozen-odd ways. Different variants affect different parts of your website in different ways.

It’s exhausting even trying to understand the malware, much less clean it up.

So, how can you get infected?

How Your Website Can Get Infected by WordPress Redirect Malware

As with any malware, there are many different ways in which your WordPress site can get infected.

Let’s go over a few popular ones.

Infections Through Plugin Vulnerabilities (XSS)

Plugin Vulnerabilities such as Cross-Site Scripting are a really common way in which hackers can infect your website with Website hacked redirect malware.

Some common plugins with known XSS vulnerabilities are:

  • WP Easy SMTP
  • WordPress Live Chat Support
  • Elementor Pro

Malicious Code In .htaccess Or wp-config.php Files

The .htaccess and wp-config.php files are two of the most popular targets for hackers.

Inserting malicious code in these files is a common motif for Pharma Hacks.

Pro Tip: If you’re checking either of these files for malicious code, scroll to the right as far as possible. The malicious code may be hidden to the far right where you would not normally think to look!

You should also check all the WordPress core files such as functions.php, header.php, footer.php, wp-load.php, and wp-settings.php for best results.

Malicious Javascript Infections

Most plugins & themes allow you to add javascript in the <head> or just before </body>tag. 

This is usually to add tracking and analytics code for Google Analytics, Facebook, Google Search console, Hotjar, and so on.

The website’s Javascript is usually one of the hardest places to inspect in the website for redirect links. To make it even harder, hackers will convert the redirection URL into a string of ASCII numerals that represent characters.

In other words, the malware will convert the word ‘pharma’ to ‘112 104 097 114 109 097’ so that a human can’t read it.

How insane is that?

Ghost WordPress Admins

Once the hacker has infected your website with a fake favicon or similarly malicious PHP, they can create Ghost Admins that they can use to access your website whenever they want.

This way, they can keep reinfecting your website with WordPress hacked redirect malware as many times as they want.


What Should You Do Next?

Be safe.

Stop using plugins with known vulnerabilities until they come up with an update. Stop using nulled themes and plugins. Stop using outdated themes, plugins, and WordPress files.

Also, install a WordPress malware removal plugin such as MalCare to keep your site protected against future threats.

As an added measure, you can beef up your security using WordPress hardening.

That’s all for this one, folks.

We hope you were able to clean your site.

Talk soon!

WordPress Hacked Redirect
Share via
Copy link