WordPress Hacked Redirect – How To Clean Malware Redirects

Feb 11, 2019

WordPress Hacked Redirect – How To Clean Malware Redirects

Feb 11, 2019

Is your WordPress website redirecting to another site? In most cases, you’d realise your visitors are being sent to spam or obscene websites. This horrifying ordeal is a result of being hacked. 

When this happens, it’s crucial to fix it immediately. Here, we’ll show you different ways to take back control of your site. We’ll also tell you how you can prevent this from happening in the future.

If you’re pressed for time and need to clean your site, you can use our automated malware removal plugin to solve the issue. However, it’s important to come back and understand how and why it happened so you can prevent it from ever occurring again in the future. 

Website security is extremely important and even more so if you run a website on WordPress. This is because WordPress is a popular choice among website owners. It powers over 30% of all the websites in the world and has, therefore, drawn the attention of hackers. 

“WordPress is becoming more and more popular and as more people enter the world of blogging. It’s likely that WordPress security issues are going to grow.” – Matthew Woodward, award winning business & internet marketing blogger

Even though security protocols grow stronger every day, hackers are not far behind in finding ways to break-in. So if you’ve been hacked, your data stolen, homepage defaced, backdoors inserted, you’re definitely not alone. According to a report by Sucuri, WordPress infections rose from 83% in 2017 to 90% in 2018. 

“My website is being redirected to another site. How is this happening?”

There are a few tricks hackers use to get your site to redirect, the most common ones being:

    • By injecting malicious code into WordPress files and database.
    • By changing the home URL and site URL in the database.
    • Adding themselves as a ghost admin on your website.
wordpress php malicious code hacked

A sample of malicious code injected in a php file

In most cases, visitors are redirected before landing on your homepage, but the tricky thing about these hacks is that they can lie anywhere on your site. It could be a link somewhere on your blog (recommended read – SEO Spam & Spam Link Injection) or a landing page that’s redirecting your visitors. Unless they bring it to your attention, you could be hacked for a long time before you realise it.

If you’ve noticed your website is redirecting, you need to remedy it immediately. Redirects can cause serious damage not just to your site but to your visitors as well, and can, therefore, have severe repercussions.

Negative Impact of redirection?

Hackers can inflict serious damage to your online presence simply by redirecting traffic from your website. If your website is redirecting, here’s how it can be damaging to your website:

    • Brand hit – A visitor to your hacked site could be redirected to websites selling illegal or spam products. Your brand will definitely take a hit. Going one step further, if your visitor ends up ordering any of these banned products, it could land him and by extension you, in a whole lot of trouble.

    • SEO Impact – When visitors are led elsewhere, your rankings will plummet and you will lose traffic to your site. This means years of hard work will vanish, not to mention a serious loss of customers too. Moreover, in certain types of hacks like pharma hacks, you start ranking for different keywords. 

    • Blacklisting – When the search engines find out your site is infected by malware and you are involved in SEO spam or the sale of illegal products, your site will be blacklisted. Visitors are given a warning that your site is infected. 

    • Host suspension – Your web host may shut down your site, lest other websites on the same server also get infected with malware.

    • Breach of Privacy – Visitors may download software that’ll infect their system, resulting in a breach of privacy. This could also lead to potential data loss on their end. 

    • Loss of Revenue – All of the above will ultimately lead to a fall in revenue. This might be hard to recover from depending on the severity of the issue.

The longer you take to fix the hack, the direr the consequences become. So let’s get to figuring out the root cause of the problem and how to fix it.




Detect and Clean Malicious Redirects

Your site is redirecting due to the presence of infected codes added by hackers. To remove these spam redirects, one has to find malicious codes or malware and remove them. Malware might be in the database, htaccess file, theme or plugin, WordPress core or even in your uploads. You can scan a hacked website either manually or by using automated tools.

Step 1: Scan WordPress Website

The first step involves scanning your WordPress site to locate the malicious code. You can do it either manually or by using a security plugin.

There are a few ways to manually identify WordPress hack or malware on a WordPress website.

Manual Scanning

Pattern or Signature Matching: During manual scanning, the website owner may find himself searching for known patterns of malicious codes. Upon finding one, s/he can go ahead and delete these codes. The problem with this method is that it only matches a known pattern. The code can exist in an infinite number of patterns. Moreover, the method is tedious.


Pros & Cons of Manual Scanning


Keyword Identification: Another common way of looking for malicious codes is to find known keywords ‘eval’ or ‘base64_decode’ that are usually parts of many malicious codes.

The drawback with this method is that you’ll find that these keywords are also part of legitimate codes. In fact, many plugins too, have these keywords in their code. Hence searching for these keywords is not a fool-proof way of finding malware. You may end up deleting a valid piece of code leading to malfunction of your WordPress website.

Comparing the Difference in the Core Files: The WordPress core files determine the appearance and functionalities of WordPress software. Sometimes malware is inserted into this part of the site. Since WordPress is open-source software, its files are publicly available. By comparing the WordPress core files present on your website with the one publicly available, you can come across a file that should not present on your site.

Comparing the differences in the core files is an effective way to detect malware to some extent. However, it too has its limitations. Without proper technical understanding, you may end up comparing two different versions of WordPress resulting in false alarms.

More file checks that you can perform

Matching Plugin Files: Another thing you could possibly do is match plugins. Make a list of the plugins that you have already installed. Next, download the same plugins from the WordPress plugin repository. Now match these two. This a decent way (albeit a time consuming one) of finding malware. As you might have guessed, this too comes with its own set of problems.

You see, there are different versions of plugins, and not all are publicly available. Some of these have modifications that are often not captured in the repository. These factors make matching WordPress plugin files tedious and unreliable.

Look For Recently Modified Files: There’s a good chance that recently modified files are part of a hack. The hacker may have injected malware or malicious codes into these files. You should treat suspiciously any file that was not modified by you or anyone else handling your website. But if the hacker is worth his salt, he would have reset the time of modification. Good luck finding the modified file then!

Look for Unknown Files & Folders in WordPress Root Folder: Typically, a WordPress website owner doesn’t need to access the WordPress root directory (/public_html), making it a vulnerable target for injecting malware. The plugin (/wp-content/plugins/) folder and theme folder (/wp-content/themes/) present inside the root directory are also at high risk for attacks. Hence, looking for unknown files present in the directories is the general rule of thumb.

While theme and plugins come with known sets of files and folder, unfamiliar, yet safe files may also be present. Deleting them unwittingly could cause the plugin to misbehave and you should avoid them.

Given the complexity of finding malware manually, the success rate of these above-mentioned methods is always very limited. Hence it’s better to choose an automated WordPress malware scanner over manual scanning.

Scanning Using a Security Plugin

As with anything WordPress related, there are tons of Security Scanning Plugins available. But unfortunately, most of these security scanners including the top ones rely on ineffective methods we just discussed. Unlike other WordPress security plugins, MalCare does not rely on pattern matching or keyword identification. Instead, MalCare uses the knowledge from the hundreds and thousands of websites it is already installed on to find new and complex hacks.

To learn more about WordPress website scanners, take a look at the top 5 WordPress malware scanners.

Step 2: Clean Malware Redirects

Ideally, the security plugin that you choose to scan your website for malware should also undertake the task of cleaning it. Let’s take a look at the different cleaning options available to WordPress users:


malware removal services


One-Click Automated Cleanup:  MalCare is the only WordPress security plugin that offers Automated one-click cleanups. Our product is unique in the sense that it allows users to remove malware from your WordPress websites with a mere click of a button. There is no external security personnel involved, and therefore absolutely no need to wait. MalCare offers three different packages and irrespective of the package you choose, it includes an unlimited number of cleanups.

Different Levels of Cleanups: A popular security plugin Sucuri, offers different levels of cleanup, depending on how fast you want to clean your website – from 30 minutes to 12 hours. Typically, cleaning your site involves security personnel who’ll need your website’s details like SFTP credentials, etc. The silver lining in buying Sucuri’s cleanup is that you get a year’s cleaning service free of cost. Meaning, within a year, no matter how many times your website is infected, they’ll clean your website at no additional cost.

One-Time Cleanups: Several WordPress security plugins or services offer one-time cleanup and charge a one-time fee for it. They scan your site and upon finding a security vulnerability, they fix it as well. Unfortunately, this option usually does not guarantee a turn-around time. This means it could take anywhere between minutes or days before your website is clean. There are several adverse effects of prolonging the cleaning of your site. For one, Google and other search engines may blacklist your site. Or your web host may take your site down, lest you infect other websites on the same web host server (in case of shared hosting).

Final Thoughts

Simply locating the malware and cleaning the site will not fix your WordPress site. It’s important to take security measures that’ll protect your site from future hack attacks. Here’s what you can do –

  • To manually implement WordPress recommended security measures would require technical expertise. It’s better to use WordPress security plugins like MalCare to protect your website.
  • Take time to invest in reliable backups to ensure that you can get your website up and running if something goes wrong.
  • Once you are set, stop worrying about the security of your website and focus on growing your business by many folds.

That brings us to the end of the article on fixing a WordPress redirect hack. For more guides and posts on how to secure your WordPress website, check out the rest of our blog.

Is your site still redirecting to another site?
Unhack your site Now.


WordPress Hacked Redirect
Share via
Copy link