You click on your website. You expect to see your homepage.
Instead, the screen flashes white, and suddenly you are looking at a strange website selling illegal medicine, gambling, or adult content.
This is called the WordPress Redirect Hack.
It is one of the most dangerous hacks because it steals your traffic. Even worse, it destroys your reputation with Google. If Google sees your site redirecting users to spam, they will blacklist you immediately.
In this guide, we will show you exactly how to find the malicious code and remove it—even if you can’t log in to your dashboard.
How the Redirect Hack Works
Hackers are smart. They rarely change your homepage directly because you would notice that. Instead, they use “cloaking” tactics.
The “Mobile Only” Trick: Often, the hacker sets the virus to only redirect visitors on mobile phones. If you check your site on your laptop, it looks fine. This tricks you into thinking your site is safe while your mobile customers are being sent to spam sites.
The “Google Search” Trick: The virus checks where the visitor came from.
If you type
yoursite.comdirectly -> No Redirect.If you click a link from Google -> Redirect to Spam.
This keeps the admin (you) in the dark while stealing all your SEO traffic.
Step-by-Step Removal Guide
We will start with the most common hiding spots for redirect malware. You will need to use FTP (File Transfer Protocol) or the File Manager in your hosting control panel.
Step 1: Check the .htaccess File (The Usual Suspect)
The .htaccess file controls traffic on your site. Hackers love to modify this file to force redirects.
Connect via FTP: Access your site’s root folder (usually
public_html).Find the File: Look for
.htaccess.Edit: Right-click and view the file.
Look for Suspicious Code:
A clean WordPress
.htaccessfile is usually short (about 10-15 lines).If you see hundreds of lines of random letters or code referencing “HTTP_USER_AGENT” or “HTTP_REFERER,” this is the virus.
The Fix: Delete the
.htaccessfile entirely. Then, log in to your WordPress Dashboard, go to Settings > Permalinks, and click “Save.” WordPress will create a fresh, clean file for you.
Step 2: Check wp-config.php and index.php
These are core system files. They should rarely change.
Open
index.phpin your root folder. It should be very short. If you see a wall of code at the top that looks like scrambled letters (eval(base64_decode...)), delete it.Check
wp-config.php. Hackers often hide a “include” script here that loads the virus from a temporary file.
Step 3: The “Header” Injection
Hackers often inject JavaScript into your theme’s header to redirect users.
Go to
wp-content/themes/your-theme/.Open
header.php.Look for
<script>tags that link to strange domains. If you see code that looks likewindow.location.replace, delete it.
Step 4: Check the Database (The Deep Hiding Spot)
Sometimes the redirect is not in a file, but in your database settings.
Open phpMyAdmin from your hosting dashboard.
Go to the
wp_optionstable.Check the
siteurlandhomerows.Make sure the URL is actually your website (e.g.,
https://yoursite.com). If it points to a spam site, change it back immediately.
The "Nuclear" Option (Core Replacement)
If you checked the files above and the redirect is still happening, the virus is hiding deep in your system files. The best way to fix this is to replace all WordPress core files.
How to do it safely:
Download WordPress: Get a fresh zip file from WordPress.org.
Extract the Zip: Unzip the folder on your computer.
Upload: Connect to your server via FTP. Upload the
wp-adminandwp-includesfolders from your computer to your server, overwriting the old ones.Note: This replaces the infected system files with clean ones. It does not touch your content (images/posts) or configuration.
Fixing Your SEO (Google Blacklist)
Once the redirect is gone, you have one more big problem. Google likely marked your site as “Deceptive.” You need to clear your name.
Google Search Console: Log in and check the “Security Issues” tab.
Request Review: Click the button to tell Google you have cleaned the site.
What to say: “I identified a malicious redirect in my .htaccess file. I have removed the code, replaced core WordPress files, and updated all passwords. The site is now clean.”
Wait: It usually takes 24-72 hours for Google to remove the red warning screen.
Prevention (Lock the Doors)
Don’t let this happen again.
Change Passwords: Hackers might still have your password. Change your Admin, FTP, and Database passwords now.
Disable File Editing: Stop hackers from editing your theme files from the dashboard. Add this line to your
wp-config.php:PHPdefine( 'DISALLOW_FILE_EDIT', true );Install a Firewall: Use a plugin like Wordfence or a service like Cloudflare to block hackers before they even reach your site.
Conclusion
The “Redirect Hack” is scary, but it is just code. It can be deleted.
Checklist to Fix It:
Check
.htaccessfirst (it’s usually there!).Replace
wp-adminandwp-includeswith fresh copies.Check your database URLs.
Tell Google you are clean.
Need Help Cleaning Up? If you are uncomfortable deleting server files or can’t find the malicious code, do not risk breaking your site further. Contact Our Malware Removal Team. We can scan your site, find the hidden redirect, and clean it up today.
For more help, you can check the Google Webmasters Hacked Site Guide
