WordPress Hacked Redirect? How To Clean Website Redirect Malware
If your WordPress website or admin dashboard is getting redirected automatically to a spam website, your website has likely been hacked and infected with redirect malware.
So what can you do about the WordPress hacked redirect malware on your site?
First of all, confirm if you actually have a hack by scanning your website.
The important thing to remember is that time is your best friend here. Do not waste time agonizing over it. The hack is totally fixable, and your site can be cleaned. But you need to move fast.
We have come across this hack thousands of times. And while it is something to take note of, you need not worry.
We will tell you the exact steps to help you remove malicious redirects from your site, fix your website, and make sure it doesn’t happen again.
What does WordPress hacked redirect mean?
WordPress hacked redirect happens when malicious code is injected into your website, which then automatically takes your visitors to another website. Usually, the destination website is spammy, with grey market pharmaceutical products, or illegal services.
How do I know my WordPress site is redirecting to Spam?
As stated before, automatic redirects are a reliable symptom of a WordPress redirect hack. Spam redirects can occur from search results, on certain pages, or even when you are trying to log in to your website. The trouble with redirects is that they don’t always happen consistently or reliably.
Check for WordPress hacked redirect symptoms
- WordPress site redirecting to spam site: The classic symptom of a WordPress redirection hack. Depending on the variant of the malware, the redirect can occur in different ways or places on your website.
- Automatic redirects: Malware redirects take your visitors automatically to spammy websites when someone visits your website. This also happens if someone clicks through to your website from Google. You will typically also get redirected if you try to log into your website.
- Link redirects: Someone clicks on a link, and then they are redirected to another website. This is especially clever because visitors click on links expecting to be taken elsewhere anyway.
- Mobile-only redirects: Only if your website is accessed via a mobile device, does it get redirected.
- Google results show a ‘Site may be hacked’ message: When listing your website in search results, a small message: ‘Site may be hacked’; will appear just underneath the title. This is Google’s way of cautioning visitors about a potentially hacked site.
- Google blacklist: The biggest of all red flags—quite literally—Google’s blacklist is a sure-fire sign that your website has been hacked. Even if your visitors use another search engine, they too use Google’s blacklist to flag hacked sites.
- Google Ads flags scripts on your website: If you try running ads on your website, Google Ads will run a scan on your website, and alert you for redirection scripts on your posts or pages.
- Web host has suspended your account: Web hosts suspend websites for several reasons, and malware is one of the big ones. If you are seeing this message when you try to access your website, check your email for a reason. Alternatively, reach out to their support team.
- People are complaining: The terrible part of hacks is that website admin are usually the last to find out about a hack, unless they have a good security plugin installed. So many people find out because website visitors and users complain about seeing website redirecting to spam, or even receiving junk email.
Confirm if your website is infected with redirect hack
The quickest way to confirm if your website is affected by malicious redirects is to scan your website.
Scan your website with security plugin
The fastest and easiest way to scan your website for hacks is with a security plugin like MalCare. MalCare seamlessly syncs with your WordPress site and scans for hidden malware that is not easily discoverable.
Scan using an online security scanner
Online scanners are a great tool to use as the first step of your diagnostic process. These scanners go through the publicly visible parts of your website and scan them for malware. Given that malware can hide anywhere on your WordPress site, these are not entirely effective for complete diagnostics but can be used alongside other methods.
Scan for malware manually
Scanning for WordPress hacked redirect malware manually is more than just tedious. And we would highly advise you against doing this. A security plugin can do this a lot more effectively and within a fraction of the time.
Manual scanning is basically parsing through every line of your website code looking for ‘junk code.’ Given that Malicious code is not consistent or even specific, it is akin to looking for a needle in a haystack. But if you need to scan manually, this is how you can do it.
One of the easiest ways to look for malware manually is to look at the recently modified files on your website. If you haven’t modified said files, chances are that they are infected. Make sure to repeat this process for the database as well.
However, this trick may not always work, as hackers can change the timestamps on files to mislead you, sometimes setting them back several months or days.
Where to locate redirect malware
The WordPress redirect malware, like any other kind of malware, can hide anywhere on your WordPress site. And given that there are variants of the redirect malware, the code can look different for each one. So we really cannot offer an exact blueprint of code for you to look for, but if you understand your website code, you can look for strange code in the following places.
Files-
- WordPress core files: The two primary files in the WordPress core are the wp-admin and the wp-includes files. These files do not include any user content, so they should be identical to the fresh installs you can get on the WordPress repository. Make sure that the version you are comparing your website with, is the same as the one installed on your site. If you find any extra code on these files, it could be malware.
The next file you need to look for is the .htaccess file. This file carries the traces of the WordPress mobile redirect hack, if it exists on your website. You can look for any redirect scripts on this file, and note them for a cleanup.
- Active theme files: Your theme files are also a good place to look for malware. First, ensure that only one theme is active on your website, and then look into the header.php, footer.php, and functions.php files in the active theme folder. You can compare the code to fresh installs of the theme, but bear in mind that customizations can show up as extra code.
- Plugin files: Malware can hide as fake plugins on your website to throw you off. A good way to look for fake plugins, is by going to the wp-contents folder and looking at all the plugin files present there. If you notice any duplicates, or odd named plugins, chances are that it is malware. For eg., we recently came across these
/wp-content/plugins/wp-zzz/wp-zzz.php
/wp-content/plugins/Plugin/plug.phpNote: If you use nulled themes or plugins on your WordPress site, you don’t need to look further, because you have almost certainly been hacked through them.
Database-
- wp-posts table: Now you need to go through your database. In your wp-posts table, look into a good number of posts, if you cannot go through all of them. Because even though malware usually shows up on every single page, hackers can hide them to make it difficult for you to find.
- wp-options table: In this table, look for the siteurl. If it isn’t your website URL, chances are that redirect malware has altered it to point to a spam website instead.
How to remove WordPress hacked redirect infection from your site
Looking for and identifying malware on your website is only half the battle won. Now comes the most important part, which is the clean-up. Removing WordPress hacked redirect infection from your website can be done in two ways. You can either use a security plugin like MalCare, which will take care of all the heavy lifting for you and clean up your website in minutes, or you can do it manually.
While manual clean-ups are possible, we absolutely do not recommend this course of action. There is a lot that can go wrong and it is a time-consuming endeavor. In the case of hacks, time is of the essence, so using a security plugin is the best course of action.
Clean your WordPress site with a security plugin
If you have already scanned your website with MalCare, we will show you how to clean up your website in the next section. If you have not, you will first need to install MalCare on your WordPress site and scan it. However, you can pick any security plugin to do this.
If your WordPress site is redirecting from the wp-login page, and you cannot access it to install the plugin, reach out to us and our emergency cleanup service will take care of it for you.
Now that you have MalCare installed, your scan will have alerted you of a hack. Now all you need to do is upgrade your accounts and click on the ‘Clean Site’ button.
Remove redirect hack malware manually
Before we explain how you can manually clean your WordPress site, we would like to reiterate that this is not recommended, and there are numerous things that can go wrong when manually cleaning up your site. Many times, we get websites for cleanup that could have been cleaned in a matter of minutes but manual cleaning efforts broke the site and now it is a task and a half. So before you take this route, consider using a security plugin one more time.
If you still wish to clean up your site manually, here is how you can go about it step-by-step.
- Backup your website with BlogVault
The first step is to back your website up, preferably on a separate server than that of your website. This is a failsafe in case the clean-up goes wrong or breaks your site. Even though your website is hacked right now, it is still a functional site, which is better than having to start from scratch.BlogVault allows you to take safe backups that are easy to restore, and stored on offsite servers.
- Download clean installs of WordPress
In order to clean your WordPress site, you need a reference for clean files. So you will need to download clean installs of WordPress core, themes, and plugins from the WordPress repository. It is extremely important to match the versions of these files with the ones on your website, to make sure that the base code is the same.
- Reinstall WordPress core
Now comes the actual cleanup part. You start by reinstalling the WordPress core files. You can entirely replace the wp-admin and wp-includes files as they do not have any user content in them.
The next step is to look for any strange or suspicious code in the following files:
- index.php
- wp-config.php
- wp-settings.php
- wp-load.php
- .htaccess
You will have to carefully remove any malware that you find in these files. Make sure that you are only deleting malware, or else your site can break or act erratically if you delete anything important.
We cannot give you specifics on what to look for, because the malware can look like any other code. This is why you need a basic understanding of code logic to undertake manual cleanup of your site.
After you are done with this, take a look at the wp-uploads folder. Does it have any PHP files? If yes, delete them as the wp-uploads folder is not supposed to have any PHP files at all.
- Clean themes and plugins files
You can find the themes and plugins files in your website’s wp-contents folder. Start by comparing each theme and plugin file with the fresh installs you downloaded from the repository. You can use an online diffchecker to compare as going through every line of code manually can be a big undertaking.
Look for any changes in your version of the files, and try to determine if this is just a result of customization or actual malware, as customizing your themes or plugins can alter the code. Now, carefully delete the malware that you have found.
Look for any fake plugins or newly discovered vulnerabilities in the plugins that you use. If you haven’t updated your files after the vulnerability has been discovered, you will have to update the plugin, and look for malware in the plugin file.
- Clean database tables
You will have to repeat the same process for your database tables. In order to access your database tables, you can use phpMyAdmin. Look for the malware in the following tables specifically:
- wp-posts
- wp-options
If you have noted down the malware in the scanning process, you can carefully delete the malicious script from your database tables and clean it up.
- Remove backdoors
Once the cleaning is done, you will have to fix the cause of the hack. Hacks often occur due to backdoors on your website. A backdoor is a loophole in the website code that hackers exploit to gain access to your website. Unless you remove these backdoors, your website can be hacked again just as easily.
You can look for the following keywords that often are a part of backdoors:
- eval
- base64_decode
- gzinflate
- preg_replace
- str_rot13
However, these keywords don’t necessarily signal malware. They are sometimes used in legitimate themes and plugins as well.
- Reupload clean files
It is now time to reupload clean files to your WordPress site. You will need to use both File Manager and phpMyAdmin for this purpose. The process is very similar to manually restoring a backup, so you can take a look at our comprehensive guide on restoring backups for additional instruction.
You will first have to delete the files one by one and then upload the cleaned versions to your WordPress site.
- Remove cache
You are almost there. Even though you have cleaned your website, there may still be traces of malware on it. This happens because the website cache stores a version of your site for faster loading. This version could also have malware in it. Therefore, in order to completely rid your website of malware, you need to clean the cache entirely.
- Use a security scanner to confirm
Congratulate yourself, your clean-up is done! In order to confirm that the cleanup was successful, use a security scanner to scan your site. If it finds no traces of malware, you are good to go. If not, you may want to look into other options for cleaning.
How did your site get infected with the WordPress redirect hack?
After this rollercoaster ride through cleaning up your website, you might wonder how your website got infected with the WordPress redirection hack in the first place? There are several reasons this could have happened, and we will take a look at them, but first let’s understand why websites get hacked at all.
WordPress websites are designed for functionality and customization, which means that each WordPress site is a labyrinth of code. Essentially, this code cannot be bulletproof because it is written by someone, and there is always scope for human error. So while you can make your WordPress site as close to bulletproof as possible with the right security, it is not invulnerable without the security practices.
Some of the most likely reasons for your site getting infected with the WordPress redirect hack are:
- Vulnerabilities in the themes and plugins
- Nulled themes and plugins
- Undiscovered backdoors
- Brute force attacks
- Not using SSL
- XSS attacks
- Weak passwords and compromised user accounts.
Whatever, the reason may be, you can always prevent hacks with the right security practices, and limit the damage from any malware to the bare minimum. All you need to do is buff up your website security with some simple practices.
How to prevent WordPress redirection hack in the future?
The nature of hacks is such that they keep reappearing. This is often because most people don’t realize that website security is not a one-time exercise. You need a proper plan and protective measures that will keep your WordPress website from getting hacked and redirected to spam sites again. This does not mean that you are doomed. In fact, you can avoid getting hacked if you only implement a few measures.
Use a security plugin
A security plugin is important not just to scan and clean your website, but also to protect it and alert you in time if any malware gets in. A complete security solution like MalCare offers a firewall that blocks brute force attacks, regularly scheduled automatic scans that ensure that your website health is maintained, and timely alerts that help you take action immediately if there is a security incident.
Install SSL
SSL allows you to encrypt any communication that happens to and from your website. This means that no one can intercept the data being sent or received to your website and try to gain unauthorized access. Installing SSL will also help you improve your SEO as Google actively penalizes non-SSL sites.
Update your WordPress core, themes, and plugins
Your website is made up of code, and where there is code, there are vulnerabilities. These vulnerabilities are patched as soon as they are discovered, however. And you can protect your website from attacks by simply updating your WordPress core, themes, and plugins regularly. You can update everything safely by installing a backup plugin like BlogVault and making sure you use a staging server to check the results before pushing updates to your live site.
Choose strong passwords
Weak passwords are still the leading cause of hacks. And while it may be difficult to remember strong passwords, you don’t have to. You can use a password manager that stores all your passwords, making it easy for you to log in as well as secure your website.
Harden WordPress
There are a list of measures that WordPress recommends to secure your WordPress site better such as two-factor authentication, blocking PHP execution in certain folders, etc. These measures together are known as WordPress hardening. MalCare helps you do all of this with a click of the button, making it completely hassle-free.
Create and follow a website security plan
Finally, it is important to keep in mind that website security is an ongoing process. And in order to secure your website, you need a plan. Create a comprehensive security plan with measures and timelines, and follow it to avoid any future hacks.