WordPress Redirect Hack ☠️ How To Detect & Fix Malware in Website

WordPress Redirect Hack – Malware Removal & Cleanup

Do you redirect your WordPress website to a spam website?

No one is 100% sure that their website is hacked (since the website of the FBI has been hacked). Hacking is one of the most common devastating experiences for the owners of the website.

These hackers can make your website money, data and confidential information. If in any case, your site is forwarded to websites for phishing or malware, then prepare for the consequences.

Yes, of course, Google won’t take a chance with its reputation, and maybe your website gets blacklisted by Google will definitely penalize you. It is therefore very important to know what to do immediately when you see that you redirect your site to phishing sites or malware websites.

What is WordPress Malware Hack/Redirect Hack?

Visitor redirect to spammy websites A hack in which visitors are redirected automatically to malicious websites, phishing pages and malware sites is “WordPress malware redirect” or a “WordPress redirect hack.” This probably means your WordPress site is being redirected to a different site because of the code injected in your WordPress database.

Generally, a malicious WordPress redirect is detected via the front end of the website when a user is redirected to some other page rather than to a website that he or she requested. In most cases hackers use a certain script for redirecting the website to a porn or scam website to damage your website and increase popularity. Common tricks used to redirect your webpage include: Can be added as a ghost admin on your site Can inject or upload malicious code to your WordPress site Can run.php code If any malicious script is added by hackers, it often looks like a legitimate file, like that is in the WordPress core files on the webpage. Hackers can add malicious code to wp-content / plugins or folders for wp-content / upload,.htaccess, wp-includes, or wp-content / themes, or to wp-config.php.

If your website has been infecting with malicious translations, check for suspicious code in the following areas: core WordPress files index.php index.html.htaccess theme files header.php (in folder themes) footer.php (in folder themes) functions.php (in the folder themes) Few instances of malicious code appearance which resulted in randomly redirects v

Header.php Injection

The malicious code of 10 to 12 lines is generally included in the WordPress website header.php.

Malware code-decoded

The core part of the malware looks like this when this code is decoded: malware code-decoded There is a logic behind the code. It will simply redirect visitors to default7.com if it’s the first visit, then it can set cookies for about 1 year for 896diC9OFnqeAcKGN7fW. To track visitors back.

Malicious code inserted in a folder

Malicious code inserted into a themes file malicious code ech'<script > var s= document.referrer;if (s.indexOf(“Google) “>0 s.indexOf(“yahoo”)>0 s.indexOf(“aol”)>0)A user can be redirected according to the browser and the IP to a random domain listed below test0.com distinctfestive.com default7.com ableoccassion.com test246.com 404.php Malware Bugs There are various other effects of this malware that are somehow caused by a few obvious malicious bugs.

See line #9 in the decoded version for example if ($GET[‘6FoNxbvo73BHOjhxokW3’]!){ For some reason, malware checks for parameter 6FoNxbvo73BHOjhxokW3, it is generally impossible to do anything when GET requires that. However, it’s not a problem. The problem is that the code does not ensure that such a parameter exists before its value is checked. This causes a notice like this in PHP: Note: Index undefined: /home / account / public html / wp-content / themes / currenttheme / header.php(8): evalual()’d on line 9.

False updates for Internet Explorer

The strange case is that if you are running Internet Explorer, the redirect chain may be something similar: Users fake-adobe-flash-update-random redirects to malicious sites

default7 .com
-> advertisementexample .com/d/p/test246.com?k=e88965c228fb1da3ff5ecff0d3034e7a.1462363771.823.1&r=
-> maintainpc .soft2update .xyz/vtrescs?tyercv=5qe5FetFrItyco5HNTadzxMu9Nwdv__MlK_dmzyotoo.&subid=102860_bebd063b36f47778fce4592efccae37a&v_id=e5tsIAwpqr6ffJ2kShbqE1F3WXTIU4auGIx7jpVqifk.
-> intva31 .saturnlibrary .info/dl-pure/1202331/31254524/?bc=1202331&checksum=31254524&ephemeral=1&filename=adobe_flash_player.exe&cb=-1388370582&hashstring=oZy9K7h7eaH

This code leads to sites that update your screen with fake java and flash drives. See the screenshot attached above for reference.

How to detect and clean WordPress redirect hack?

  • Make sure your website is temporarily offline before you start fixing the WordPress malware redirect hack.
  • You can take sufficient time to solve this problem and also prevent your users from accessing the hacked pages.
  • Always make a backup before changing the core files and the website database. The backup should also include hacked pages and may be referred to if the required contents are accidentally deleted. Be sure to maintain a copy of all the files you are working with.
  • If you have less understanding of your website’s JavaScript, CMS or PHP files, it is highly recommended to consult a professional to deal with the problem.

Follow this simple 5-stage guide to get your WordPress Website malicious code removed:

Is your WordPress website redirected to a different site?

In most cases, your visitors are sent to spam or obscene websites. This horrific oddity is due to hacking.

When that happens, it’s important to fix it right away. Here, we’ll show you various ways to take back your website control. We’ll also tell you how this can be prevented in the future.

If you have to clean up your site for some time, you can use our automated malware removal plugin to resolve the problem. It is important, however, to come back and understand how and why this happened so that you can prevent it from occurring in the future.

Security of the website is extremely important and even more important if you run a WordPress website. Because WordPress is a popular choice between website owners. It has more than 30 percent of the world’s websites and thus the attention of hackers.

While security protocols are increasing every day, hackers aren’t far behind in finding ways to break in. So you definitely aren’t alone if you were hacked. According to a Sucuri report, WordPress infections increased from 83% in 2017 to 90% in 2018.

So how do you redirect your website?

Hackers use a number of tricks to redirect your site, the most common of which is: malicious code injected into WordPress files and databases.

  • By changing the home URL and the database site URL.
  • Add yourself on your website as a ghost admin.

In most cases, visitors are redirected to your homepage before reaching the website, but the tricky thing is they can lie on your site anywhere. It could be a link on your blog or a landing page to redirect your visitors. You could be hacked a long time before you realize it unless you bring it to your attention.

If you notice that your website is being redirected, you must remedy it right away. Redirects may not only cause serious damage to your site but also to your visitors and may, consequently, have serious consequences.

Negative redirection impact?

By simply redirecting the traffic from your site, hackers can seriously damage your online presence. In case your website is redirected, it could damage your website: brand hit–You could redirect a visitor to your hacked website to websites selling illegal or spam products. Your brand is sure to take a hit. A step further, if your visitor finishes ordering one of those prohibited products, it can land him in a lot of trouble and by extension.

SEO Impact–when visitors are brought to another location, your rankings fall and you lose traffic to your site. This means that years of hard work will disappear, not to mention serious customer losses.

Blacklisting–When the search engines discover that your website is malware infected and you spam or sell illegal products, your site is blacklisted. Visitors are warned about the infection of your site.

Host suspension–Your web host could shut your website down unless other websites on the same server get malware infected.

Privacy violation–Visitors can download software that is going to infect their system, thereby infringing privacy. This could also lead to a possible loss of data.

Loss of income–All this will ultimately lead to a decrease in income. This could be difficult to recover depending on the severity of the problem.

The longer you take to fix the hack, the worse the impact. So let’s figure out the root cause and how to fix the problem.

Detect and Clean Malicious Redirects

The presence of infected codes added by hackers redirects your website. In order to remove these spam redirects, malicious codes or malware must be found and removed. In the database, the htaccess, theme or plugin, WordPress core or even uploads, malware might be present. You can either manually scan a hacked site or use automated tools.

Step 1: Scan WordPress website

The first step is to scan your WordPress website to find malicious code. You can do it manually or with a security plugin.

On a WordPress website there are several ways to manually identify WordPress hack or malware.

Find the Malicious Code

There are many places where the malicious code can be located on your website. We understand that scanning codes chunk by chunk is certainly not an easy task on every page of your website. Sometimes you can put the culprit somewhere on your server. And in a few places, ftp / ftps login details are necessary to access these places to start the process of malware purification.

Manual Scanning Pattern or Signature Matching:

The web site owner can look for known patterns of malicious code during manual scanning. Once one has been found, he / she can proceed and delete these codes. The problem with this method is that it corresponds only to a known pattern. The code can be found in an endless number of patterns. In addition, the method is tedious.

WP website manual scan Keyword ID:

A common way to find malicious codes is to find known keywords ‘ eval’ or’ base64 decode,’ usually part of many malicious codes.

The drawback of this method is that these keywords are also part of legitimate codes. Many plugins have these keywords in their code as well. Searching for these keywords is therefore not a stupid way to find malware. You may delete a valid piece of code which causes your WordPress website to malfunction.

Comparing the differences in core files:

The core files of WordPress determine the appearance and functionality. Malware is sometimes inserted into this part of the site. Since WordPress is open source software, its files are open to the public. By comparing the WordPress core files that are available in public on your website, you will be able to see a file not available on your website.

Comparing the differences in core files is a good way to detect a certain amount of malware. But it also has its limitations. You may end up comparing two different versions of WordPress without proper technical understanding and result in false alarms.

More file checks that you can match plugin files:

Match plugins can be another thing you can do. Make a list of the plugins you have installed already. Next, download the same plugins from the repository of the WordPress plugin. Now these two match. This is a decent (although time-consuming) way to find malware. This too comes with its own set of problems, as you might have guessed.

You can see, there are different plug-in versions and not all of them are available to the public. Some of these changes are often not captured in the repository. These factors make it tedious and unreliable to match WordPress plugin files.

Look for Recently Modified Files:

Recently modified files may well be a hacker. The hacker can have malware or malicious codes injected into these files. You should treat any files not modified by you or anyone else who manages your website suspiciously. But if the hacker’s salt is worth it, he’d reset the time of the amendment. Good luck to find the modified file!

Look for Unknown Files & Folders in the WordPress Root Folder:

A WordPress website owner usually does not have to access the WordPress root directory, so that he or she is a vulnerable malware injection target. The folder and theme folder (/wp-content / plugins/) of the plugin (/wp-content /themes/) in the root directory are also high risk for attacks. The general rule of thumb is therefore to look for unknown files in the directories.

Although theme and plugins contain known sets of files and folders, safe and unfamiliar files may also occur. Deleting them unwittingly could misbehavior the plugin and you should prevent them.

Given the complexity of manually finding malware, the success rate of these methods is always very limited. Therefore, it is better to select a WordPress automated malware scanner over manual scanning.


Using a security plugin There are tons of security scanning plugins available as with anything related to WordPress. However, most of these security scanners, including the top ones, rely on ineffective methods we discussed just now. Unlike other security plugins for WordPress, MalCare does not rely on pattern matches or keyword identification. Instead, MalCare employs the knowledge of its already installed hundreds and thousands of websites in order to find new and complex hacks.

For more information about WordPress web scanners, see the top 5 malware scanners for WordPress.

Step 2: Clean Malware Redirects

Ideally, the safety plugin you choose to scan your website for malware should also clean it. Look at the various cleaning options available for WordPress users: one-click Automated Cleanup: MalCare is the only security plugin that provides automated one-click cleanups for WordPress. Our product is unique in that it allows users to remove malware with a simple click of a button from your WordPress websites. There are no external security staff involved and therefore no need to wait at all. MalCare offers 3 different packages and includes an unlimited number of cleanups regardless of what package you choose.

Variable levels of cleanups:

A popular Sucuri security plugin provides a range of cleanup levels, depending on how quickly your site is being cleaned–from 30 minutes to 12 hours. Normally, you clean your site by security staff who need details such as SFTP credentials, etc. The silver in the purchase of Sucuri’s cleanup is that the cleaning service is free for a year. In other words, they will clean your site at no additional cost within a year, no matter how many times your website is infected.

Deeper Dig on the Website

At times, running tests are not harmful to analyze whether or not your Website has malware or malicious code. You can use any test to pretend that you’re a user agent or a Google bot with the help of a GoogleBot simulator or you can use the Webmaster console FETCH AS GOOGLE. Few commands work through ssh customers. By using some code, you can look where the hacking is done and manually remove the malware from WordPress.

Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *