WordPress Hacked Redirect? How To Clean Website Redirect Malware

Dec 19, 2020

by

WordPress Hacked Redirect? How To Clean Website Redirect Malware

Dec 19, 2020

by

Is your website getting redirected to another site?

Or worse…

Is your WordPress Dashboard redirecting to another site? Maybe if you have Quttera installed, you’re seeing this:

Threat name: Heur.AlienFile.gen

Of course, that is not remotely helpful. Don’t worry though; we’ll explain everything.

You have been infected with the WordPress hacked redirect malware. It’s also possible that you tried cleaning your website already and it just doesn’t seem to work.

Here’s what doesn’t and won’t work:

  • Deactivating or deleting the plugin or theme that caused the infection
  • Using a backup to restore your website to a previous version
  • Updating WordPress or your themes and plugins

TL;DR: Hacked redirect malware is super-difficult to pinpoint and remove manually. The good news is that you can clean up your website in less than 60 seconds, using a malware removal tool.

What Is Happening to Your Website

The WordPress hacked redirect malware:

  • Steals your traffic and destroys your reputation

malicious javascript redirect theme modification

Google notifying site may be hacked

web host email site flagged for malware

That’s not even the worst part.

There are literally hundreds of variants of the WordPress hacked redirect malware. The more sophisticated the hacker, the harder it is to find this malware and remove it.

Also, because it’s such a visible hack… 

… you think that the worst part is that your website redirects to another site.

But in reality, the most dangerous part is that the WordPress hacked redirect malware also creates WordPress user accounts with admin privileges.

This means that the hacker can reinfect your websites just as many times as you can clean it.

Now imagine using a cleaning service like Wordfence that charges you for each cleanup even if it is a repeat hack. The hacked redirect malware will essentially bleed you dry.

Wordfence also comes up with way too many flags for WordPress hacked redirect:

* Unknown file in WordPress core: wp-admin/css/colors/blue/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/coffee/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/ectoplasm/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/light/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/midnight/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/ocean/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/sunrise/php.ini
* Unknown file in WordPress core: wp-admin/css/php.ini
* Unknown file in WordPress core: wp-admin/images/php.ini
* Unknown file in WordPress core: wp-admin/includes/php.ini
* Unknown file in WordPress core: wp-admin/js/php.ini
* Unknown file in WordPress core: wp-admin/maint/php.ini
* Unknown file in WordPress core: wp-admin/network/php.ini
* Unknown file in WordPress core: wp-admin/php.ini
...

This is how Wordfence tells you that you have the WordPress hacked redirect malware.

Again, what exactly are you even supposed to do with that information?

You need a permanent cleanup for the WordPress hacked redirect malware now.

The longer you wait, the more you will suffer at the hands of the malware.

Fortunately, you CAN clean your website and we’re going to show you how.

How Do You Know For Sure That You Have the WordPress Hacked Redirect Malware?

There are way too many ways in which you can get infected with the WordPress hacked redirect malware.

So, how do you even know for sure if you have been infected with that particular virus?

Do a litmus test.

If your answer to any of the following is, “Yes,” then you have the redirect malware:

  • You have a visible redirect to another website for all pages all the time
  • Google Search Results flag spam content for your website
  • You have unidentified push notifications on your website
  • There is malicious javascript code in the index.php file
  • The .htaccess file has unidentified code in it
  • There are garbage files with suspicious names on your server

This might sound totally crazy, but the first check is actually the least common.

As we mentioned before, the WordPress hacked redirect issue has far too many variants to pinpoint (more on this later). Even if you have full access to the website, you may never find an actual piece of malicious code.

How to Clean Your Website from WordPress Redirect Hack

There are 3 ways in which you can clean your website after you get the WordPress redirect hack.

  • Method #2: Use an Online Security Scanner (NOT RECOMMENDED)
  • Method #3: Clean the Website Manually (Downright Impossible for the Hacked Redirect Malware)

Let’s take a look at each in turn.

Method #1: Use a Malware Scanner and Cleaner Plugin

Trust us when we say it: even if you have to spend money on a plugin, that’s exactly what you want to do if you get infected with a Malware that redirects your website to Spam.

You better pray to every God every religion has to offer that a plugin can clean up your website.

If for any reason you can’t get a malware scanner and cleaner that solves this problem, it’s really much better to delete your website and create a new one.

It doesn’t even matter how vital your website is for your business.

That’s how frustrating it is to clean your website manually.

We recommend using a powerful malware scanner and cleaner such as MalCare.

Although this might be slightly biased, we wholeheartedly recommend using MalCare to scan and clean your site for WordPress hacked redirect malware.

Why?

This is the quickest and easiest way to find, remove and fix the WordPress redirection issue without breaking your website.

You can get unlimited FREE server-level scans to make sure that your website is really infected. 

Then, you can simply upgrade to the premium version to clean your website in less than 60 seconds with one click!

Afterwards, you can use MalCare’s WordPress security hardening methods to make sure that your website doesn’t get hacked again.

Here’s the step-by-step process you’ll need to follow:

STEP 1: Sign up for MalCare

upload plugin

STEP 2: Run the MalCare scanner:

malcare security

STEP 3: Hit the ‘Clean’ Button to automatically clean your site.

malcare auto-clean

STEP 4: Finally, head over to ‘Apply Hardening’ and secure your website against future threats

malcare apply hardening

That’s all you need to do.

WordPress Redirect Hack is only one of many malwares that MalCare is equipped to automatically detect and clean.

Now, if you’re not going to use a premium scanner and cleaner like MalCare, then you probably have a security plugin installed such as:

  • Sucuri
  • Wordfence
  • Quterra
  • Astra Web Security
  • WebARX Security

While none of these security plugins can actually offer one-click auto-cleanups backed by a learning algorithm, you will get security personnel cleaning your website manually.

Full Disclosure! With any of these plugins:

  • Do not expect a quick cleanup. Manual cleanups take time.
  • Cleanups are charged additionally for repeat hacks. You won’t get unlimited cleanups like MalCare customers.
  • You may not be able to remove the malware completely. Most of these plugins will overlook the backdoors left by the hacker.

But using any of these plugins is a better option than using a web scanner or doing a full manual sweep of your WordPress site.

If you’re completely against a paid solution because you’ve been burnt by one in the past, keep reading. We’ll give you two more options to try although we don’t recommend either.

Method #2: Use an Online Security Scanner

As a preliminary check, you can use Sucuri SiteCheck or Google Safe Browsing.

These are both online security scanners that run a very weak check of your website’s HTML files. Online scanners can only check the parts of your website that are visible to a browser. Then the scanner runs those code snippets against their database of known malware signatures.

Instead, scan your website using MalCare. We offer a much deeper scan in our 7-day FREE trial.

Online security scanners can’t check your server or WordPress core files for malware.

To be very clear, they are not completely useless.

Web-based security scanners can spot links that may have been blacklisted by search engines. You may or may not be able to find snippets of common malware in some rare instances. But if you want to pinpoint and clean your website, you need a server-level malware scanner.

The way in which these scanners work is very simple:

  • Head over to the scanner
  • Drop the link to your website for the scanner to check
  • Wait for the scanner to come up with some results

Again, using a superficial scanner is not going to help your situation

You might get a few pointers on a couple of bad links to clean, but the hacker will still have access to your WordPress website. In a couple of days, you will be reinfected with the WordPress hacked redirect malware.

Method #3: Scan and Clean Your Site Manually

We’ll be real upfront here.

Trying to clean your website manually with WP redirect hack is a bona-fide way to wreck it completely.

We’re not joking here.

Seasoned database administrators with 10+ years of experience are terrified of having to clean up a WordPress database manually. Complete WordPress pros will tell you to never play around with the WordPress core files and the .htaccess file.

Unfortunately, the WordPress redirect malware usually affects:

  • Core WordPress Files
    • index.php
    • wp-config.php
    • wp-settings.php
    • wp-load.php
    • .htaccess

  • Theme Files
    • footer.php
    • header.php
    • functions.php

  • Javascript Files (This could be ALL javascript on your website or specific files)

  • WordPress Database
    • wp_posts
    • wp_options

  • Fake Favicon.ico That Cause (These files contain malicious PHP code):
    • URL injections
    • Creation of administrator accounts
    • Installation of spyware/trojans 
    • Creation of phishing pages

That’s a LOT of ground to cover.

So, if you’re the adventurous type and you’re dead set on scanning and cleaning your website manually, take a full website backup.

Do it. 

Do it right now.

You can use BlogVault to take backups with one-click restores just in case something goes wrong. It’s one of the best backup plugins you’ll find.

Honestly, it doesn’t matter right now if you want to use another backup plugin as long as you take a backup right now.

Next, you want to follow these steps exactly as we go along.

Part 1: Check WordPress Core Files

Your WordPress Core files are going to be the primary target for many variants of the WordPress hacked redirect malware.

Step 1: Check the WordPress version on your site

This nifty article by Kinsta will show you how to check the WordPress version. Even if you can’t access your WordPress admin dashboard, you can still find your WordPress version.

Step 2: Download your WordPress files using cPanel

You can download your files from cPanel directly. Head over to cPanel and use the Backup Wizard to download the files.

This article by Clook will show you how.

Step 3: Download a pristine copy of the version of WordPress on your site

Download the original WordPress files here.

Step 4: Run a Diffchecker

This last step is not going to make you happy. You’ll have to upload both versions of each file manually to https://www.diffchecker.com/ and run the diffcheck.

Yeah, it’s going to take a while and it’s a pain to do. To be honest, if you’re not 100% sure about what you are seeing, it’s a very bad idea to delete the differences. It could end up wrecking your site.

Part 2: Check for Backdoors

Backdoors are exactly what they sound like – entry points for hackers to access your website without you knowing about it.

Search your website for malicious PHP functions such as:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

NOTE: These functions are NOT evil by default. Many PHP plugins use them for legitimate reasons. So, again, if you’re not sure what you are looking at, do not delete stuff from the code. Just in case you deleted something and it broke your site, use that backup to restore your site.

The WP hacked redirect malware can actually leave multiple backdoors. Finding them all manually is a real pain. Again, we recommend installing MalCare straight away.

Part 3: Remove Any Unknown Admin Accounts

Of course, this is assuming that you can actually access your WordPress dashboard, but if you can:

  • Head over to Users
  • Scan for any suspicious admins and delete them
  • Reset the passwords for all admin accounts
  • Go to Settings >> General
  • Disable Membership Option for ‘Anyone can register’
  • Set Default Membership Role to ‘Subscriber’

For good measure, you should also change your WordPress Salts and Security Keys.

WordPress Site hacked redirect issues actually survive in your WordPress site even after a cleanup because of these fake admin accounts.

Part 4: Scan Plugin Files

You can check the plugins in the same way you checked WordPress core files. Head over to WordPress.org and download the original plugins. Then run the diffchecker again for all plugin files to discover the WordPress hacked redirect malware.

Yes, this is annoying. But more importantly, this is a really limited option. There may not even be a plugin update that covers the vulnerability.

Not cool.

Part 5: Scan and Clean Your Database

This is probably the worst part of cleaning up the WordPress hacked redirect malware from your site. 

But it’s almost over.

Scanning the database is pretty similar to scanning for backdoors.

Search for keywords such as:

  • <script>
  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

Important: DO NOT RANDOMLY DELETE STUFF FROM YOUR DATABASE. Even a single space out of place can wreck your entire site.

But if you managed to clean your site manually without a hitch, give us a call. If nothing else, we’d really like to hire you!

And if you gave up halfway through the manual WordPress hacked redirect cleanup, trust us when we say it, it’s not just you. The WordPress hacked redirect issue is one of the hardest hacks to fix.

Just use MalCare to clean up your site in 60 seconds and get back to your life.

The rest of this article is about how you got hacked in the first place and the different variants of the WordPress hacked redirect issue.

Feel free to go through it all and understand this malware better. It’ll help you in the long run.

Why is the Malicious Redirects Issue so Bad?

The primary reason malicious redirects is so bad is that site owners rarely are the first to find out about an infection. If site owners are very lucky, they will have visitors sending them emails asking why their websites redirect to shady-looking pages with questionable products; or why they look nothing like the original website. 

Or if they aren’t so lucky, they may find out through social media, or Google Search Console, because Google will eventually blacklist an infected website. 

Either way, no one wants to be in their shoes. Preempt an infection by installing a top-grade security plugin. It is the best way to protect your website and your visitors from the evils lurking on the Internet. 

Another reason malicious redirects are particularly, well malicious, is that they come in so many different flavors. Here are some of the things that can happen to a visitor to your website:

hack types and symptoms

How to Prevent Malicious Redirects in the Future

The old adage is right: prevention is better than cure. The reason is that once a disease (in this case malware) takes hold, it spreads quickly and viciously through its host. The longer a website is infected, the more of its data is compromised, more of its users are targeted and ultimately the owner—you—loses more money. 

The secret to preventing malicious redirects is to have a secured website with a strong firewall. Here are some security measures you can take: 

  • Install MalCare, a security plugin with a strong scanner and firewall. This is triple protection, because it combines prevention, scanning and cleaning.  
  • Keep your themes and plugins updated: This is the bare minimum to do, because as you will see in the linked article, most themes and plugins fix security loopholes in their updates. 
  • Do not use pirated themes and plugins. If you have them, get rid of them. The resulting loss of is not worth the money saved by using them.
  • Use strong login credentials and require your users to do the same. 
  • Manage WordPress permissions; employ the least privileges principle.  
  • You can secure your login page because hackers target it more than any other page on your website. Here’s a handy guide: How to Secure WordPress Admin.

These are a few, easy measures that you can implement on your website. Additionally, there are website hardening measures you can apply as well. Most of these are included with MalCare, so the easiest way to protect your website is to install it now

How Your Website Can Get Infected by WordPress Redirect Malware

As with any malware, there are many different ways in which your WordPress site can get infected. Let’s go over a few popular ones.

Unsecured Accounts with Privileges

Make sure only the people you absolutely trust have admin privileges. In fact, responsible website ownership means that you implement the minimum privileges for all accounts. Remember, yours isn’t the only website that people log into. If their email addresses or login credentials are compromised on another website that could well spell trouble for you.

Vulnerabilities in Themes and Plugins

Remove any plugins or themes that you aren’t actively using, and audit the ones you are using regularly. Check developer pages and read reports about newly uncovered vulnerabilities. Make sure they are always updated, because developers will patch their products with security updates. 

This is also a good reason to use paid plugins where developers are actively maintaining the code. At MalCare, we analyse so many websites in the course of our work, we have built a robust security plugin by actively maintaining a threat database. Install it today, and rest easy.

Infections Through XSS

Cross-site scripting is the number one vulnerability on the web, and therefore is a really common way in which hackers can infect your website with hacked redirect malware. An attack of this sort is carried out by inserting malicious JavaScript code into your website.

Most plugins & themes allow you to add javascript in the <head> or just before </body>tag. This is usually to add tracking and analytics code for Google Analytics, Facebook, Google Search console, Hotjar, and so on.

The website’s Javascript is usually one of the hardest places to inspect in the website for redirect links. To make it even harder, hackers will convert the redirection URL into a string of ASCII numerals that represent characters. In other words, the malware will convert the word ‘pharma’ to ‘112 104 097 114 109 097’ so that a human can’t read it.

Some common plugins with known XSS vulnerabilities are:

  • WP GDPR
  • WP Easy SMTP
  • WordPress Live Chat Support
  • Elementor Pro

The list runs in the thousands though, because XSS vulnerabilities can take many forms. 

Malicious Code In .htaccess Or wp-config.php Files

The .htaccess and wp-config.php files are two of the most popular targets for hackers.

Inserting malicious code in these files is a common motif for Pharma Hacks.

Pro Tip: If you’re checking either of these files for malicious code, scroll to the right as far as possible. The malicious code may be hidden to the far right where you would not normally think to look!

You should also check all the WordPress core files such as functions.php, header.php, footer.php, wp-load.php, and wp-settings.php for best results.

Ghost WordPress Admins

Once the hacker has infected your website with a fake favicon or similarly malicious PHP, they can create Ghost Admins that they can use to access your website whenever they want.

This way, they can keep reinfecting your website with WordPress hacked redirect malware as many times as they want.

Yikes.

Third-party services

If you are running ads or other third-party services on your website, it could be possible that malicious code could be shown to your visitors that way. Some ad publishers are lax with the ads they serve, or perhaps the malicious material slipped through. Either way, your website is the victim. 

It is important to vet the publisher network, and to also periodically check your websites for redirect ads from an incognito browser. Also, it is worthwhile to refresh a few times, as ads are often cycled through online properties. 
It is vitally important to keep your website infection-free, and being alert is important. Before anyone else discovers a redirect hack, make sure to scan your website regularly.

What Should You Do Next?

Be safe.

Stop using plugins with known vulnerabilities until they come up with an update. Stop using nulled themes and plugins. Stop using outdated themes, plugins, and WordPress files.

Also, install a WordPress malware removal plugin such as MalCare to keep your site protected against future threats.

As an added measure, you can beef up your security using WordPress hardening.

The existence of WordPress redirect malware on your website could be a sign of common hack attacks like SQL injection attacks, phishing attacks, and SEO spam. You can check them out if you like.

That’s all for this one, folks.

We hope you were able to clean your site.

Talk soon!

WordPress Hacked Redirect
Share via
Copy link