How To Remove Malicious Redirects From Your Site?

Dec 2, 2019

How To Remove Malicious Redirects From Your Site?

Dec 2, 2019

Is your WordPress website maliciously redirecting your users to unknown websites like ones that sell medical products? Chances are you’ve been hacked.

Visitors could also be redirected to unsecured sites that host adult content, sell counterfeit products, or try to dupe visitors into downloading malware. Such a hack can be disastrous to your site and can jeopardize your reputation!

You need to take action before the damage becomes irreparable. At MalCare, we’ve seen hundreds of thousands of malware redirects and the nightmares clients face in trying to fix it. The biggest pain point in such redirects is clients see it reappearing on their site over and over again even after they’ve cleaned it.

So, in this article, we decided to address the problem and give you the right guidance you need to get rid of the malicious redirects once and for all.

Malicious redirects claim many WordPress sites as victims and bring serious ramifications. Clean up your site instantly by using MalCare security plugin. It will do a thorough scan of your website and clean up all malware present. Plus, it continues to keep you protected, so you don’t have to worry about malicious redirects appearing on your site again.

What Are WordPress Malicious Redirects?

Hackers gain access to your website using a vulnerability present. It could be outdated software, a security flaw in an installed plugin, or a weak password that made it easy for the hacker to get in.

Once inside, they insert their malicious script that will start redirecting your visitors to the websites of their choice. We can assure you it’s not going to be sites you’d like. Hackers will take your visitors to sites with adult content, illegal drugs, counterfeit products.

They could do this with the intent to steal your traffic, to damage your reputation or even just for fun! Whichever be the intention, the hack can have a catastrophic impact on your site.

In many cases, the redirect happens from the home page. So before a visitor can open your homepage, they’d be redirected to another site. The redirect can also happen from anywhere on the website like embedded links in blog posts. For example, we visited a simple hotel website, but what we found was it’s homepage displays a pharmaceutical company that sells banned drugs online.


wordpress malicious redirects to another website


What the homepage should’ve looked like without the hack was:


original site without malware redirects


Now some site owners may take their own time to fix a hack like this. But we can tell you, the longer your site is hacked, the direr the consequences become.

Why Should You Worry About Malicious Redirects?

A Malware Redirect Hack can cause severe damage to your website:

1. It takes a toll on SEO 

Getting your website to rank on search engines is no easy task. It takes months of hard work. Once your site is hacked, these hackers piggyback on your SEO efforts. Your traffic will fall as visitors are redirected to other sites. Hackers also place links inside your site, so if a visitor clicks on it, they’ll be directed to another site. Such a hack can cause Google to penalize you for bad backlinks. Recovering your SEO status could take months.

2. It’s a breach of privacy

When your website is hacked, there is a high risk of visitors’ data being stolen. If that happens, it’s termed as a data breach. This is a serious offense to visitors as their personal data is leaked. A data breach also carries severe legal implications depending on your country’s laws.

3. Google will blacklist your site

Google keeps a user’s experience and safety above all! If your site puts users at risk the search engine giant will blacklist your site. Any visitor who tries to access your site will either be shown a warning that the site puts them at risk. Or they will be blocked from entering the site.


website malicious redirects


4. Your web host will suspend your account

For a hacker to run their activities on your website, they need to use your web server resources. This can exceed the limit provided to you by your web host. If your site eats up more resources than it is granted, it will slow down other sites on the same server or cause server problems for the web host. Therefore, they’ll suspend your web hosting account.

5. Loss of sales and revenue

It goes without saying, when visitors are being diverted and you’ve been blacklisted and suspended, revenue will take a hit. For every minute your site is down, you stand to lose paying customers and ad revenue.

6. Your brand image will be ruined

The most painful part of being hacked is that the brand image that you worked so hard to build will be ruined. Many times customers who see that a site is hacked don’t return.

We hope this sheds light on how severe the consequences of a WordPress hack are. You need to find the hack and clean up your website promptly. After this, you need to ensure your site’s web security is strong and impenetrable.

How to Check for WordPress Malicious Redirects?

There are two ways to find a malicious redirect hack – manually and using a WordPress malware scanner.

However, right off the bat, we’ll tell you that the manual scanning method is ineffective. Here’s why:

Earlier in the 1990s and 2000s, hacks were easier to find manually by looking at files and folders of the website. But with time, hackers have advanced their techniques. They found ways to disguise their malware attacks so that they go undetected for as long as possible.

They also have ways of disguising it only from you – the site owner, but making it visible to visitors and search engines.

Malware Redirects Are Difficult to Detect

When it comes to WordPress malware redirects, they are particularly difficult to detect. The hacker could redirect your site visitors even before they land on your home page. They could also insert hyperlinks anywhere on your site disguised as a normal button or link. If a user clicks on it, they’ll be taken to another website.

This can happen to all your web pages and the hacker can create a thousand more pages of their own.

Because it’s so widespread, finding the hack manually becomes too cumbersome and time-consuming (we’re talking days on end). And even if you do find the hacked files and clean it up, there’s just no way of knowing your WordPress site is 100% clean.

This is why we strongly don’t recommend trying to find the hack manually (especially if you are not familiar with the inner workings of WordPress and it’s plugins/themes). However, if you are tech-savvy and want to know how to do it manually, we’ve detailed it in the next section.

First, we’ll take you through the easiest and most reliable method of finding and cleaning this hack. This method takes only a couple of minutes for your website to be hack-free.

Detecting a Malicious Redirect by Using a WordPress Security Plugin

In the WordPress realm, there’s a plugin for anything you need. So to detect such a hack, you can be sure to find a number of security plugins to help you out.

But not all plugins are designed the same and choosing the right one is important. Some of the plugins out there can only find known malware using a method called signature matching.

Signature Matching is Not Enough

Every type of malware bears a unique signature in their code. So these plugins look for the signatures that have already been found and tagged as ‘malicious code’. The problem with this method is that any new kind of malware infection with an unknown signature will be missed.

There have been times where we’ve had site owners come to us determined that their website is hacked, but their security plugin showed that the site was clean. After we ran a scan, it turned out, their website really was hacked, the plugin they were using just didn’t pick up any malware.

Plugins Throw Up False Alarm

On the other hand, site owners have come to us saying their malware scanner shows their site is hacked but actually, there was no hack. This can happen because sometimes hackers use the same code that is also used by developers in some plugins/themes in a legitimate way.

So by trying to match signatures, these plugins are oblivious to new malware or throw up false alarms.

So how do we overcome the shortcomings of the manual method and the signature matching method?

Our developers created MalCare to comb through every inch of your website in a matter of minutes. It uses a method that doesn’t rely solely on signature matching. It also analyses the code’s patterns and behavior. In doing so, it is able to determine whether any code is malicious or not.

So whether a hacker uses old methods, or new malicious scripts, or disguises or hides the hack, MalCare is prepared for all surprises.

How To Use The Malcare Security Scanner?

To use MalCare, simply install it on your WordPress dashboard, and run the first scan for free.


using malcare security plugin


It will run a deep scan of your website and find any hacked files, if present. Once it’s done, you’ll be alerted if there’s malware on your site or not:


wordpress malicious files detected


After the hack is detected, cleaning it is simple. Let’s take a look.

Before you clean your website of malware, it’s best to take a backup of your WordPress site to be on the safe side. MalCare will automatically take a full backup (powered by BlogVault) and stores it safely.

How To Clean A Malicious Redirect Hack Using Malcare?

MalCare is a premium WordPress security plugin that provides malware cleanups at a reasonable cost. To clean up your site, you need to sign up for a premium plan as low as $8.25 per month.

Once you’ve signed up, you can clean up the malicious redirect by clicking on ‘Auto-clean’:

The plugin will run through your site and remove all malicious scripts and render your site clean. As we mentioned, the plugin uses an intelligent method of analyzing the behavior of the code. This ensures the clean-up is done without ever breaking your site.

If you need further assistance, there’s a very responsive customer support team you can contact.

After this, MalCare continues to protect your website against any kind of malware and hacker for a whole year under your premium plan!

Now if you’re satisfied with using the MalCare plugin, you can jump to security measures you need to implement. For those who want to know how to clean it up manually, we’ll delve into it here.


How to Manually Detect and Clean a Malicious Redirect Hack

Before we begin, we must caution you that this method requires technical know-how of WordPress. It’s risky to go into the files and folders of your website. The slightest misstep could break your website. Especially, changing htaccess files.

Take a backup of your WordPress site before you start. In case anything goes wrong, you can simply restore your website.

Step 1: Access your website’s files

Find cPanel on your web hosting dashboard. Then, go to ‘File Manager’.


cPanel file manager


Here, you need to access ‘Public_Html’. This is usually where your website’s files are stored. In case you have named the folder something else, please locate the respective folder.


locating public_html folder


Step 2: Find the malicious script

First, go to settings in the top-right hand corner of your screen.


findng malware hack


Here, make sure hidden files are shown by checking the box ‘Show Hidden Files’, like so:


Showing hidden files


Next, using the search bar on the top-right corner of the screen, you can search for known malicious keywords such as:

    • Eval
    • Base64_decode
    • Unescape
    • Script
    • iFrame

Investigate any code that could be possibly harmful to your website. You can also check the ‘Last Modified’ column to see if any files were recently modified. This can help narrow down which files might have been hacked.


Last Modified files


However, hackers can change the last modified time and date, so this might not be effective.

Lastly, download a fresh installation of the WordPress version you’re using. Compare the WordPress core files of your website with the new installation to spot any differences.

Once you identify the malware, we can move on to cleaning your website.

Step 3: Remove the malicious scripts

Here, you simply need to delete the malicious scripts. If you found that new malicious files were created, you can simply delete them.


deleting website hack


In some files, you will need to download the file, edit it and then re-upload the same. The options can be found on the same menu bar as the ‘delete’ option.

You need to be careful at this step. Ensure the code is actually malicious before you delete it. If you remove code that is legitimately used in plugins or themes, you could break your website.

Step 4: Check your website

Visit your website and all its important pages to ensure there are no malicious redirections. Check your website from different browsers and incognito mode as well to make sure the malware has been removed.

You can also check Google Search Console > Security Issues:


checking security issues


By implementing these measures, all malicious redirects on web pages should have been fixed. Now that your WordPress site is clean, we can move on to the next steps you need to take to keep your website secure.


Recommended Steps After Recovering from a Malicious Redirect

After you clean your website, whether you use a security plugin or do it the manual way, there are a few steps you need to take to ensure your site is clean and secure from hackers coming back in.

1. Seal vulnerabilities

A hacker was able to carry out their malicious activities because there was a weakness on your website that enabled them to gain access.

Update your website

WordPress receives updates regularly to introduce new features, make improvements, fix bugs, but more importantly, to fix any security flaws. You’ll see updates available on your WordPress dashboard, like so:


wordpress update

But as site owners, we often fail to update our WordPress sites promptly. Around 36% of hacked WordPress websites were found to be running on outdated installations in 2018.

Ensure you update your WordPress website immediately in order to seal any vulnerabilities present in your WordPress software.

Monitor Themes and Plugins

You need to update themes and plugins as well as the same principle from the above point applies here too. before updating your site themes or plugins, make sure you take backup of your site that includes backup of your site theme.

Apart from that, you also need to delete any unused themes and plugins from your dashboard. The more you have on your site, the easier it becomes for the hacker to find an entry point. If you’ve been using any pirated or cracked versions of themes and plugins, delete them immediately. Hackers insert malicious code into the pirated software they make available to you. Once you install it on your website, the malware will be installed as well in the plugin and theme files.

Check your Users

Go through the list of users you have on your WordPress dashboard. Hackers add themselves as ghost admins so that they can break into your site any time they want.


malware redirect

Look for new users added or any ones you can’t identify. Delete such users.

In the future, grant ‘admin’ access only to the ones you trust. Use roles like ‘editor’ for those who need only limited access.

This is because if a hacker gains access to an admin account, they have full control over your site. Whereas, if they gain access to a lower role, they’ll be limited in what they can do to your website.

Change your credentials

Hackers use a method called brute force attacks to guess your username and password. Generic credentials like ‘admin’ and ‘password123’ are easy to crack. Ensure you keep strong credentials in place for any wp-admin account and your web hosting account as well. We recommend implementing a strong password that’s a phrase in combination with numbers and symbols.


malicious redirects


2. Install a security plugin

If you haven’t already, we strongly recommend installing a security plugin on your WordPress site. Choose a reliable plugin like MalCare so that your site is constantly scanned and monitored for suspicious activity.

You need such a plugin also because it will block any malicious traffic and bad bots from ever visiting your site. It does this by putting up a WordPress firewall that proactively defends your site.

If anything suspicious is picked up, the plugin will alert you immediately.

3. Install an SSL certificate

SSL is important to any website because it encrypts the data being transmitted over the internet. This prevents hackers from getting their hands on private information, especially your credentials. We recommended reading up how to migrate to HTTPS.

You can get an SSL certificate from your web host or from any SSL provider. If you’re worried about spending too much on a certificate, providers like LetsEncrypt offer free SSL.

4. Harden your website

WordPress recommends that you implement certain measures called ‘website hardening’. This will fortify your website so that it’s much harder for hackers to attempt to break in.

Refer to our guide on WordPress hardening to learn all the ways you can harden your site.

If you installed the MalCare plugin, you can apply website hardening right from the dashboard:


website malware


5. Remove Google Blacklist

If your website was blacklisted by Google, you need to submit it for review. We recommend running a second scan to be thorough. Then, take a screenshot of the malware scanner showing your website is clean:


wordpress malware hack


Next, submit your appeal to Google. They will review your site to make sure there is no malware present. After this, your site will be taken off the blacklist and you can get back to business.

6. Contact your web host

If your web host suspended your hosting account, you need to contact their customer support. Send them the same screenshot along with any other information required by them.

They will verify the same and once satisfied, they will unsuspend your WordPress hosting account.

Once you’ve taken the above measures, your WordPress website should be clean of malicious redirects and secure from future hack attempts.

Concluding Thoughts

If you’ve followed the steps we detailed above, we are confident that you’re website is free of the malicious redirect hack.

At MalCare, we believe every website deserves to have top-notch security, so we’ll leave you with this:

Many site owners ask ‘Why me?’. The answer is simple, there was a vulnerability that enabled them to break in.

Hackers are not biased to the size or type of site. They attack any site and if your website has a weak point, there are high chances it’ll be hacked soon enough.

This is why we strongly recommend installing MalCare plugin on your website. It will prevent malicious redirects on webpages or any kind of disastrous hacks in the future. Stay safe!

Try MalCare Security Plugin Now!