WordPress Hacked Redirect, How to Detect and Clean it

So, did you hurt seeing your website redirect to phishing or malware? Unfortunately, even when you have strengthened the defenses of your website, around 30,000 websites are hacked every day. So when that day comes it is very important to know what to do!

If your site has been hacked, attackers can use malicious code that redirects your site to phishing or malware websites for trafficking, which adds insult to injury, and can actually harm your reputation as a site.

If your website redirects visitors to phishing or a malware site, you may get Google blacklisted! Google won’t take a chance with its reputation, if your webpage(s) smell the slightest fishy thing, it’ll make you blacklist. Later in this article, I will cover Google’s blacklist.

Let us manage to fix your WordPress Hacked site.

A definition A hacker can use a script they create to redirect your website systematically to a Scam website or an adult’s website (call me porn) for a better reputation of your own website. They will most often use the following tricks to change a website’s behavior.

  • Upload or create a malicious script file in your WordPress site.
  • Add yourself on your website as a Ghost Admin.
  • Run the PHP code they send via a browser.
  • For spam purposes, collect personal information such as email.
  • Change anything for your own purposes on your website, often for spamming.
  • When adding a file, it is often named to look like a file that’s the core portion of WordPress files. The file could be referred to as sunrise.php, wp-users.php, wp-system or wp-configuration.php. Hackers typically add malicious scripts, wp-including wp-config / themes, wp-content / plugins or WP-content / uploads folders to.htaccess, or may change the wp-config.php file.


Malicious Redirects in Header

Malicious code encoded is added to the top of your active WordPress theme header file header.php


WordPress theme in Footer Malicious script.

Malicious redirect is added to the footer of the active

What’s the look of blacklisting?

So we have talked about how to check and see whether your website was injecting malicious scripts, but I think that it is a good idea to spend additional time with what we refer to as “symptoms” of a website being hacked and blacklisted in one of our previous articles. However, most of them will help you find out if your website is in trouble: there is huge / sudden traffic to your website for specific keywords which have nothing to do with your website contents–especially pharmaceuticals.

  • Your website will suddenly be redirected to non-anonymous websites.
  • Ghost administrators appear in your dashboard which you or other legitimate admin users haven’t created for your website.
  • Your website is unlikely to contain malware in the results of search engines or desktop or cellular software for detecting virus.
  • Your hosting provider has transferred your site to junk or quarantine mode.
  • It is important to remember that Google can also provide various security warnings. These warnings can be found on the results page of your search engine where your site is indexed. The following are the most common warnings you will see.

This site may harm your computer


Example: Google detected the hacking of your website.

This warning appears when Google Google has a good reason to compromise or hack the site and take it over by using someone else.

A step-by-step guide to removing malicious scripts and redirects

Stage 1: Scanning your WordPress site There are several ways to check if you suspect your website has got a malicious script, but you have to generate a complete backup of your website before running any of these sites. Although your site can be hacked, things could get worse before they get better.

A backup is perhaps the next best thing after cut bread. If you make a mistake when you clean up your site accidentally, your backup is safe.

You could restore your website to the point that you first started to work on it and continue to investigate as if nothing else happened. Once your whole website has been backed up, you are ready to start.

  • Norton Safe Web – You can quickly find out if there are any threats related to your website.
  • Quttera – Deeply scans your site for malware.
  • VirusTotal – One of the best online scan website available to scan your website or IP Address for Common Viruses, Malicious scripts, Hidden Backdoors, etc.
  • Web Inspector – This website scan for backdoors, , injected scripts, malicious redirections code with a fairly detailed report.
  • Scan My Server – Scans for malware, SQL Injections, XSS and more with detailed report.

Step 2: Find the suspicious code

There are several places where you can see the malware on your site. It’s not always an easy way to scan the code chunk by chunk on every page of your website. The culprit is sometimes enclosed in your server. However, some places are mostly targeted by attackers. To start the malware cleaning process, you will need ftp / ftps login information.

If your site suddenly goes back to an anonymous website(s), you need to look for suspicious code:

Core WordPress

  • Files Your site index file (check for both index.php and index.html)
  • In the event that you are triggering download users on your site, please take a look:
  • Header.php: Current Theme header file Footer. Is it just one page? One directory? Or the whole site?

Step 3: Dig Deeper:

Pretend that you are a bot or user agent, sometimes running tests to check whether the malware on your website puts your own machine at risk. To avoid this, you can use cURL CLI to pretend that you are a Google bot or user interface.

The following command can be entered to emulate a bot via a ssh client:

$ curl –location -D – -A "Googlebot" site.com

You should look for something that does not make sense in the code once you enter this. Thus, bits that are in a language other than your own or that generally look like gibberish. Yes, at least here, you need to recognize html. Something in an iFrame or script tag must also catch your eye.

In addition, you can use this small code to emulate a user agent (via an ssh client again):

$ curl -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" http://www.site.com

You can edit or substitute the “browser” tag here according to your requirements.

A couple of different commands you may want to know are Grep and Find, which work via a ssh client. These commands help you find out where the hacking has taken place on your website, so that you can remove the malicious code that has put you on the Google Blacklist manually.

Here is a list of useful resources to speed up your terminal cleaning process.

  • Command line
  • SSH
  • What’s My User Agent?

Step 4: Removing Bad Code



If your website has been malware injected, you will have to delete malicious scripts which have redirected you to abusive websites. If attackers create new pages with malicious code, they can be removed from Search Engine Results by accessing the search engine console of Google and using the URL removal feature.
You should next update the topic, plugins, and install any new core updates available. Make sure all is as up-to-date as possible. This reduces the vulnerabilities of your website.

Finally, change all your website passwords. And all of them, I mean! You also need to reset passwords to your FTP account, WordPress Regenerate Salt Keys,database(s), hosting and other related information to make sure your website is safe not just the WordPress Administrator Password.

Regenerate Salt Key for WordPress

Step 5: Resubmit Your Site

If your site is blacklisted and has been removed from Google’s search results due to malicious redirects, you have to submit a review to your site. Otherwise, Google won’t know you’ve taken significant steps to address the problem.

If your website was engaged in phishing, you will have to submit a request for re-examination through Google Webmaster Tools (now known as the Google Search Console). I’m going to assume that your site is already added, so click Search Traffic > > Manual Actions when you’re logged in. You should then be encouraged to submit an evaluation.

WordPress plugins that can detect infected files:

Here are some Theme Check

  • Acunetix security
  • WP Security
  • Vaultpress

Keeping your Site Secure

  • To keep your site safe, you need to make sure you follow the instructions below: Have your WordPress Site core files updated.
  • Update your topics and plugins.
  • If possible, use a Safe Secure WordPress hosting service that can manage your WordPress site, instead of just hosting it.
  • If you choose to use a reseller hosting account with a non-WordPress Friendly Hosting Provider you should avoid adding sites to your main account as add-ons. These websites can be set up in a separate website account.
  • Remove any inactive themes or plugins on your website that you do not intend to use.
  • Review your WordPress plugins and themes, and ensure that they are all updated by their developers recently, otherwise you should find alternatives and delete them from your WordPress site.
  • Never have null themes or plugins installed.
  • Keep one or two manager accounts, downgrade all other users to an author or editor.
  • Remove any WordPress installation dev / demo settings from your public directory.

WordPress Malware Removal

W-se Services has cleaned more than 2000 WordPress sites successfully, and its success rate is already 100 percent. If you do not have the time or skill to scan and clean your malware Redirect hack from your WordPress site, then we can clean it for you.

This is a priority service that will restore your Hacked WordPress site in a day or less while providing you with a 30-day guarantee. If your website is hacked again, we will clean it free of charge.



Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *