What To Do If Your WordPress Site Is Hit By Malicious Redirects

Thousands of different WordPress sites have been infected with malicious JavaScript in order to promote scam websites. The number of infections spiked in January, with the hackers exploiting vulnerabilities in a variety of different plugins commonly used on WordPress sites, including the CP Contact Form which is used alongside PayPal.

Hackers gain access to websites when there is a present vulnerability on your website, whether it be outdated software, a weak password or a flaw in an installed plugin, these all make it easy for hackers to get access to your site.

After the hackers have exploited these plugins, they are then able to flood it with JavaScript which sets off redirects to fraudulent websites where users are tricked into handing over their personal information using “survey-for-gifts” and then unwillingly install the infected malware.

Unfortunately for site owners, this JavaScript is able to make further modifications to existing WordPress files using the /wp-admin/theme-editor.php file. They can then use this for adding other malware, such as hacktools and PHP backdoors so that they can continue to maintain unauthorized access to the website. Hackers have also abused /wp-admin/ features to create counterfeit plugin directories which then contain more malware.

How do I know if my site has been hacked?

If you have noticed or have been alerted to the fact that your WordPress website is now redirecting to another website, then this is, unfortunately, a result of being hacked. When this happens, then it is absolutely vital that you try your best to fix it immediately. Taking back control of your site is important, as is making sure that you prevent this from happening again in the future.

If you are pressed for time and want to clean your site, then you can use some automated malware removals to do so, but in order to stop this from reoccurring in the future, then understanding what happened and why is an important first step.

The security of your website is important, and even more so if your website is on WordPress. This is because WordPress is a popular choice – it powers around 35% of all worldwide websites, meaning it is a popular choice for hackers.

Although security protocols continue to grow stronger every day, hackers aren’t far behind. According to a recent report, 90% of WordPress sites have been infected.

How do they get your website to redirect?

There are a few tricks that hackers use specifically to get access to your site and to make it redirect. Some of the most common ways include:

  • Injecting malicious code into your WordPress database and files.
  • Add themselves as ghost admin onto your site
  • Changing the homepage URL and site URL in your database

In most cases, visitors will be redirected elsewhere before they land on your homepage, however, the tricky thing with these hacks is that they can lie dormant anywhere on your website. It could be a link somewhere on your blog or a landing page that redirects your visitors. Unless it is brought to your attention, it may be that you have been hacked for a long time before you even realize it.

If you have noticed that your website is redirecting, then you will need to fix this immediately. Redirects can cause serious damage, not just to your site but also to your visitors, so it can have serious repercussions.

The negative impacts of a redirect

Hackers can cause serious, and sometimes irreversible, damage to your site, simply by redirecting your traffic elsewhere. If your website is redirecting traffic, then here are some ways as to how it can be causing damage to your website.

  • Loss of revenue – ultimately, a website redirect will not only cause a loss of traffic but ultimately a loss in revenue. Depending on the severity of the issue, this could be impossible to recover from.
  • Blacklisting – When search engines discover that your site has been infected by malware and is involved with spam or illegal products, your site may well be blacklisted. Site visitors will also be given a warning that your website is infected.
  • Brand hit – If a visitor lands on your hacked site and is redirected to a spam website or one which is selling illegal goods, then your brand absolutely will take a hit.

The longer you take to fix the hack issues, then the more troublesome the consequences become, which is why it is important to figure out the root cause of the hacking problem and the ways you can fix it.

Detecting and cleaning malicious redirects

Your website is redirecting because of the presence of infected codes that have been added by the hackers. In order to remove these redirects, you need to find where the malicious malware and/or code is hidden and remove it, however, this could be anywhere such as your “.htaccess” file, database, WordPress core or even hidden in your uploads.

You can scan your WordPress site, either manually or using a security plugin, to find the malicious code.

Manual scanning

During a manual scanning, you might find yourself looking for known patterns of code which are often used maliciously. Should you find one, then you can easily delete the code. But, the problem with this method is that it only ever matches a known pattern. The code can exist in a number of different patterns, and this is a relatively tedious process.

Keyword identification

Another common way that you can look for and identify malicious code is to search for the known keywords used, such as “eval” or “base64” – these usually form part of malicious code. The drawback when using this method is that you may find that these keywords can also be used as part of legitimate code. Many plugins use this within their code, so searching for these isn’t always foolproof.

Matching plugin files

Another way in which you can search for malicious redirects is by possibly matching plugins. Make a list of the different plugins which have already been installed and download the same plugins from the WordPress plugin repository. Then, match the two. This is good, but a time-consuming way of searching for and identifying malware and also comes with its own set of hurdles. There are different versions of plugins available and all of them are not publicly available and some of these have modifications that aren’t captured in the repository.

In an ideal world, you should use a security plugin to scan your site for malware, then this should also deal with the task of cleaning it. But, there are other cleaning options available for WordPress users.

Different levels of cleanup

Depending on how fast you want to clean your website, whether it be from 30 minutes to 12 hours, then there are different levels of cleanup available. Usually, cleaning your site involves including security personnel who will need your website’s details, such as SFTP credentials.

One-time cleanups

There are several WordPress security plugins and services which offer a one-time cleanup service and usually only charge a one-time fee. They will then scan your website and, upon finding a vulnerability, will fix it. Unfortunately, carrying out this option doesn’t guarantee a set turn-around time. This means that it could take minutes or even potentially days to clean your website. There are some effects when it comes to prolonging the cleaning of your website, for example, Google and other search engines could blacklist your website, or your website host could take your website down.

Protecting your website from future malicious redirects

Simply just locating the malware and cleaning your website will not fix the WordPress site. It is vital for you to take security measures that will protect your website from future hacks and redirect attacks. Website owners can implement some of, if not all, of the recommended WordPress security measures.

Manually implementing these measures will require some area of expertise, particularly if you have extensions of your website, such as an app. It is best to use some of the WordPress security plugins as a first measure and then investigate further, with the comfort of knowing that your website is somewhat protected for the time being.

What next?

Moving forward, you should disable the modification of primary folders on the backend of your WordPress website in order to block hackers from inserting malicious code or files or include this as part of your WordPress security hardening and best practices.

If, as part of the hacking, your web host suspended your hosting account, thus removing your website, then you will need to get in contact with their customer support team and explain the situation. Send them screenshots, along with any other information which is required. They will verify your site and once they have all the information they need, they will unsuspend your WordPress account.

Every website owner should bear in mind that having a presence online and having a platform that can store user data is a huge responsibility and one which should not be taken lightly. Be sure to take time investing in well-recommended and reliable backups and proven effective security measures to make sure that your WordPress website is working and safe.


Author Bio:

Natalie Wilson is a freelance writer for many business and technology publications. With a wide range of knowledge in the sectors, she is an avid researcher and writer in the field, taking particular interest in Northern tech brands such as Apadmi. Having worked with a number of different businesses, Natalie is now a freelance writer looking to specialize in the sector. You can connect with her on Twitter @NatWilson976.

Read also,

Disclosure: When you buy a service or a product through our links, we sometimes earn a commission without any extra cost to you. Learn More

2 thoughts on “What To Do If Your WordPress Site Is Hit By Malicious Redirects”

Leave a Comment

Your email address will not be published. Required fields are marked *