Is your WordPress website redirecting to another site? As bad as we feel breaking the news to you, but the truth is, someone hacked your WordPress site.

WordPress is the world’s number one choice for building sites, and as such it draws attention from hackers, bots and the rest. Hacked WordPress websites are common. WPMUDev reports that every minute, over 90,000 malicious attacks strikes on WordPress websites.

“WordPress is becoming more and more popular and as more people enter the world of blogging. It’s likely that WordPress security issues are going to grow.” – Matthew Woodward, award winning business & internet marketing blogger

WordPress site hacked? Whether big or small, WordPress sites are a prime target for cybercriminals. In fact, smaller businesses are more at risk, since small business owners tend to be lax about their site’s security. It makes small websites a perfect catch.

wordpress php malicious code hacked

A sample of malicious code injected in a php file

There are several motives behind hacking a website. One such motive is inserting codes that cause website redirects to spammy sites. After gaining access to your website, hackers inject malicious codes that redirect visitors to malicious websites, phishing pages, and malware websites. This could have serious ramifications on your business/brand and could drive away valuable visitors.

Table of Content:

  1. Negative Impact of redirection?
  2. Detect and Clean Malicious Redirects
  3. Protect Website From Future WordPress Malware Redirects Hacks
Negative Impact of redirection?

Hackers can inflict serious damage to your online presence simply by redirecting traffic from your website. If your website is redirecting, here’s how it can be damaging to your website:

    • A visitor to your hacked site could be redirected to websites selling illegal substances! Your brand’s trust will definitely take a hit. But if your visitor ends up ordering any of these banned products, it could land him and by extension you, in a whole lot of trouble.
    • When the search engines find out that your site is promoting illegal drugs, not only will your site be blacklisted, but you will also start losing web traffic rapidly.
    • Your SEO ranking will plummet, which means years of hard work will vanish, not to mention a serious loss of customers too.
    • Your web host may shut down your site, lest other websites on the same server also get infected with malware.
    • Visitors may download software that’ll infect their system, resulting in a breach of privacy.

Given the severity of the issue, it’s critical to detect and remove the malicious redirects from your website.

Detect and Clean Malicious Redirects

Your site is redirecting due to the presence of infected codes added by hackers. To remove these spam redirects, one has to find malicious codes or malware and remove them. Malware might be in the database, htaccess file, theme or plugin, WordPress core or even in your uploads. You can scan a hacked website either manually or by using automated tools.

Step 1: Scan WordPress Website

The first step involves scanning your WordPress site to locate the malicious code. You can do it either manually or by using a security plugin.

There are a few ways to manually identify WordPress hack or malware on a WordPress website.

Manual Scanning

Pattern or Signature Matching: During manual scanning, the website owner may find himself searching for known patterns of malicious codes. Upon finding one, s/he can go ahead and delete these codes. The problem with this method is that it only matches a known pattern. The code can exist in an infinite number of patterns. Moreover, the method is tedious.


puzzles matching


Keyword Identification: Another common way of looking for malicious codes is to find known keywords ‘eval’ or ‘base64_decode’ that are usually parts of many malicious codes.

The drawback with this method is that you’ll find that these keywords are also part of legitimate codes. In fact, many plugins too, have these keywords in their code. Hence searching for these keywords is not a fool-proof way of finding malware. You may end up deleting a valid piece of code leading to malfunction of your WordPress website.

Comparing the Difference in the Core Files: The WordPress core files determine the appearance and functionalities of WordPress software. Sometimes malware is inserted into this part of the site. Since WordPress is open-source software, its files are publicly available. By comparing the WordPress core files present on your website with the one publicly available, you can come across a file that should not present on your site.

Comparing the differences in the core files is an effective way to detect malware to some extent. However, it too has its limitations. Without proper technical understanding, you may end up comparing two different versions of WordPress resulting in false alarms.

More file checks that you can perform

Matching Plugin Files: Another thing you could possibly do is match plugins. Make a list of the plugins that you have already installed. Next, download the same plugins from the WordPress plugin repository. Now match these two. This a decent way (albeit a time consuming one) of finding malware. As you might have guessed, this too comes with its own set of problems.

You see, there are different versions of plugins, and not all are publicly available. Some of these have modifications that are often not captured in the repository. These factors make matching WordPress plugin files tedious and unreliable.

Look For Recently Modified Files: There’s a good chance that recently modified files are part of a hack. The hacker may have injected malware or malicious codes into these files. You should treat suspiciously any file that was not modified by you or anyone else handling your website. But if the hacker is worth his salt, he would have reset the time of modification. Good luck finding the modified file then!

Look for Unknown Files & Folders in WordPress Root Folder: Typically, a WordPress website owner doesn’t need to access the WordPress root directory (/public_html), making it a vulnerable target for injecting malware. The plugin (/wp-content/plugins/) folder and theme folder (/wp-content/themes/) present inside the root directory are also at high risk for attacks. Hence, looking for unknown files present in the directories is the general rule of thumb.

While theme and plugins come with known sets of files and folder, unfamiliar, yet safe files may also be present. Deleting them unwittingly could cause the plugin to misbehave and you should avoid them.

Given the complexity of finding malware manually, the success rate of these above-mentioned methods is always very limited. Hence it’s better to choose automated tools over manual scanning.

Scanning Using a Security Plugin

As with anything WordPress related, there are tons of Security Scanning Plugins available. But unfortunately, most of these security scanners including the top ones rely on ineffective methods we just discussed. Unlike other WordPress security plugins, MalCare does not rely on pattern matching or keyword identification. Instead, MalCare uses the knowledge from the hundreds and thousands of websites it is already installed on to find new and complex hacks.

To learn more about WordPress website scanners, take a look at this top 5 WordPress malware scanners comparison.

Step 2: Clean Malware Redirects

Ideally, the security plugin that you choose to scan your website for malware should also undertake the task of cleaning it. Let’s take a look at the different cleaning options available to WordPress users:


virus delete


One-Click Automated Cleanup:  MalCare security service is the only plugin that offers Automated one-click cleanups. Our product is unique in the sense that it allows users to remove malware from your WordPress websites with a mere click of a button. There is no external security personnel involved, and therefore absolutely no need to wait. MalCare offers three different packages and irrespective of the package you choose, it includes an unlimited number of cleanups.

Different Levels of Cleanups: A popular security plugin Sucuri, offers different levels of cleanup, depending on how fast you want to clean your website – from 30 minutes to 12 hours. Typically, cleaning your site involves security personnel who’ll need your website’s details like SFTP credentials, etc. The silver lining in buying Sucuri’s cleanup is that you get a year’s cleaning service free of cost. Meaning, within a year, no matter how many times your website is infected, they’ll clean your website at no additional cost.

One-Time Cleanups: Several WordPress security plugins or services like Wordfence for instance, offers one-time cleanup charging a one-time fee. They scan your site and upon finding a security vulnerability, they clean it as well. Unfortunately, Wordfence does not guarantee a turn-around time. This means it could take anywhere between minutes or days before your website is clean. There are several adverse effects of prolonging the cleaning of your site. For one, Google and other search engines may blacklist your site. Or your web host may take your site down, lest you infect other websites on the same web host server (in case of shared hosting).

Protect Website From Future WordPress Malware Redirects Hacks

Simply locating the malware and cleaning the site will not fix the WordPress site. It’s important to take security measures that’ll protect your site from future hack attacks. Website owners can implement some (if not all) of the WordPress recommended security measures. Manually implementing these measures would require some amount of technical expertise. Instead, it’s better to use WordPress security plugins like MalCare and Sucuri to harden your website. What every website owner should bear in mind is that being online is a huge responsibility, one that you should not take lightly. Take time to invest in reliable backups and effective security measures to ensure that your WordPress website is safe and working.

That brings us to the end of the article on fixing a WordPress redirect hack. For more guides and posts on how to secure your WordPress website, check out the rest of our blog.

The idea of writing this article came from a customer reached out to us saying “My website is being redirected to another site.” If you want us to cover certain topics on our blog, write to us.