Is your website being diverted to a different location?

Or perhaps worse…

Is your WordPress Dashboard taking you to a different website? If you have Quttera mounted, you may be seeing something like this:

Of course, that isn’t even close to being helpful. But don’t worry; we’ll walk you through it.

The WordPress hacked redirect malware has compromised your computer. It’s also likely that you’ve already tried cleaning your website but it’s not working.

What doesn’t and won’t fit are the following:

  • Deactivating or removing the infection-causing plugin or theme
  • Using a backup to restore a previous version of your website
  • WordPress or your themes and plugins need to be updated.

TL;DR: Manually detecting and removing hacked redirect malware is extremely difficult. The good news is that you can use a malware removal tool to clean up your website in under 60 seconds.

What Is Going On With Your Website?

The hacked WordPress redirect malware:

Your traffic is stolen, and your name is ruined.

Google can blacklist your website.

It’s possible that your web host will suspend your account without notice.

That isn’t even the most heinous part.

The WordPress hacked redirect malware comes in hundreds of different variations. The more advanced the hacker, the more difficult it is to locate and delete malware.

Furthermore, since it is such a visible hack…

The worst part, you think, is that your website redirects to another link.

The most dangerous aspect of the WordPress hacked redirect malware, however, is that it also generates WordPress user accounts with admin privileges.

This means the hacker can infect your website as many times as you can clean it.

Consider using a service like Wordfence that charges you for each cleanup, even if the hack is repeated. You will be bled dry by the compromised redirect malware.

Wordfence still raises far too many red flags for a hacked WordPress redirect:

* Unknown file in WordPress core: wp-admin/css/colors/blue/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/coffee/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/ectoplasm/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/light/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/midnight/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/ocean/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/php.ini
* Unknown file in WordPress core: wp-admin/css/colors/sunrise/php.ini
* Unknown file in WordPress core: wp-admin/css/php.ini
* Unknown file in WordPress core: wp-admin/images/php.ini
* Unknown file in WordPress core: wp-admin/includes/php.ini
* Unknown file in WordPress core: wp-admin/js/php.ini
* Unknown file in WordPress core: wp-admin/maint/php.ini
* Unknown file in WordPress core: wp-admin/network/php.ini
* Unknown file in WordPress core: wp-admin/php.ini
...

The WordPress hacked redirect malware is detected by Wordfence in this way.

What exactly are you supposed to do with that detail, once again?

Now is the time to clean up the WordPress hacked redirect malware permanently.

You will suffer more at the hands of the malware the longer you wait.

Thankfully, you Should clean your website, and we’ll show you how.

How Do You Know For Sure That You Have the WordPress Hacked Redirect Malware?

There are a plethora of ways to become infected with the WordPress hacked redirect malware.

So, how can you tell if you’ve been infected with the virus?

Use a litmus test to see if anything is true.

If you answered “Yes” to any of the following questions, you have redirect malware:

  • You always have a visible redirect to another website on all sites.
  • Your website’s spam content is flagged by Google Search Results.
  • On your account, you have unexplained push notifications.
  • The index.php file contains malicious javascript code.
  • Unidentified code can be found in the.htaccess file.
  • On your server, there are garbage files with suspicious names.

Although it may seem absurd, the first search is actually the least popular.

As previously said, there are far too many variations of the WordPress hacked redirect problem to pinpoint (more on this later). And if you have complete access to the website, there’s a chance you won’t find any malicious code.

How to Clean Your Website from WordPress Redirect Hack

Following the WordPress redirect hack, there are three ways to clean up the website.

Method #1: Scan your website for malware and clean it

Method #2: Use an Online Security Scanner (NOT RECOMMENDED)

Method #3: Manually clean the website (Downright Impossible for the Hacked Redirect Malware)

Let’s take a look at each one individually.

Method #1: Use a Malware Scanner and Cleaner Plugin

Trust us when we say that if you get infected with Malware that redirects your website to Spam, you’ll want to invest in a plugin, even if it costs money.

You should pray to the God that every religion has to give in the hopes that a plugin will be able to clean up your site.

If you can’t find a malware scanner and cleaner that works, it’s much easier to uninstall your website and start over.

It doesn’t matter how important your website is to your business.

That’s how aggravating it is to manually scrub your website.

MalCare, an efficient malware scanner and cleaner, is recommended.

We wholeheartedly suggest using MalCare to search and clean your site for WordPress hacked redirect malware, despite the fact that we may be somewhat biassed.

What is the reason for this?

This is the simplest and most straightforward method for locating, removing, and repairing the WordPress redirection problem without causing any damage to your website.

To ensure that your website is really compromised, you can get unlimited FREE server-level scans.

Then, with just one click, upgrade to the premium edition to clean your website in under 60 seconds!

Following that, you can use MalCare’s WordPress security hardening methods to prevent your website from being hacked again.

The following is a step-by-step procedure to follow:

STEP 1: Enroll in MalCare.
STEP 2: Run the MalCare anti-malware scanner:
STEP 3: To clean your site automatically, click the ‘Clean’ button.
STEP 4: Finally, go to ‘Apply Hardening’ to protect your website from future attacks.

That’s what there is to it.

WordPress Redirect Hack is only one of several malwares that MalCare can detect and clean automatically.

If you’re not going to use a premium scanner and cleaner like MalCare, you’re probably using one of these security plugins:

  • Sucuri
  • Wordfence
  • Quterra
  • Astra Web Security
  • WebARX Security

Although none of these security plugins can provide one-click auto-cleanups driven by a learning algorithm, you can have security personnel manually clean your website.

Expect a lengthy clean-up. Cleaning by hand takes time.

Repeated hacks are subject to higher cleanup fees. You won’t have access to as many cleanups as MalCare customers do.

It’s possible that you won’t be able to fully uninstall the malware. The majority of these plugins would ignore the hacker’s backdoors.

However, using either of these plugins is preferable to using a web scanner or manually scanning your WordPress pages.

Continue reading if you’re fully opposed to paying for a solution because you’ve been burned before. We’ll give you two more choices to consider, but neither is recommended.

Method #2: Use an Online Security Scanner

Sucuri SiteCheck or Google Safe Browsing may be used as a preliminary check.

Both of these online security scanners perform a cursory examination of your website’s HTML files. Only the portions of your website that are available to a browser can be scanned by online scanners. The scanner then compares such code snippets to a database of documented malware signatures.

Instead, use MalCare to search the website. In our 7-day FREE trial, we have a much more thorough scan.

Online malware scanners are unable to search your server or WordPress core files.

To be sure, they aren’t entirely ineffective.

Links that have been blacklisted by search engines can be detected using web-based security scanners. In certain unusual cases, you may or may not be able to find snippets of famous malware. A server-level malware scanner, on the other hand, is needed to pinpoint and clean your website.

The operation of these scanners is very straightforward:

  • Proceed to the scanner.
  • Please include a link to your website for the scanner to review.
  • Wait for the scanner to return some details.

Using a superficial scanner will not help you in this case.

You may receive some advice about how to clean up a few bad links, but the hacker will still have access to your WordPress account. You will be reinfected with the WordPress hacked redirect malware in a few days.

Method #3: Scan and Clean Your Site Manually

We’re going to be honest with you right now.

Attempting to clean the website manually with a WP redirect hack is a surefire way to fully destroy it.

This is not a joke.

Database administrators with more than ten years of experience are afraid of having to manually clean up a WordPress database. The WordPress core files and the.htaccess file should never be messed with, according to WordPress experts.

The WordPress redirect malware, unfortunately, normally affects:

  • Core WordPress Files
    • index.php
    • wp-config.php
    • wp-settings.php
    • wp-load.php
    • .htaccess

 

  • Theme Files
    • footer.php
    • header.php
    • functions.php

 

  • Javascript Files (This could be ALL javascript on your website or specific files)

 

  • WordPress Database
    • wp_posts
    • wp_options

 

  • Fake Favicon.ico That Cause (These files contain malicious PHP code):
    • URL injections
    • Creation of administrator accounts
    • Installation of spyware/trojans
    • Creation of phishing pages

That’s a lot of ground to cover in a short amount of time.

Take a complete website backup if you’re the adventurous kind who insists on manually inspecting and cleaning your website.

Let it happen.

Right now, do it.

In the event that anything goes wrong, you can use BlogVault to create backups with one-click restores. It’s one of the most effective backup plugins available.

To be honest, it doesn’t matter if you use another backup plugin right now as long as you take a backup.

Then, when we go through the steps, make sure you follow them exactly.

Part 1: Check WordPress Core Files

Many variants of the WordPress hacked redirect malware would target your WordPress core files as their primary target.

Step 1: Verify your site’s WordPress edition.

Kinsta has a great article that explains how to search the WordPress edition. You can still find your WordPress edition even if you can’t reach your WordPress admin dashboard.

Step 2: Using cPanel, download your WordPress files.

You can directly download your files from cPanel. To download the files, go to cPanel and use the Backup Wizard.

This Clook article will teach you how.

Step 3: Download a fresh copy of the WordPress edition installed on your account.

Here’s where you can get the original WordPress files.

Step 4: Use a Diffchecker to see whether there are any discrepancies.

This final move will not make you happy. You’ll need to manually upload both versions of each file to https://www.diffchecker.com/ and perform a diffcheck.

Yes, it will take a long time and is a pain to complete. To be frank, deleting the discrepancies is a poor idea if you’re not 100 percent sure of what you’re seeing. It has the potential to wreak havoc on your website.

Part 2: Keep an eye out for backdoors

Backdoors are just what they sound like: entry points for hackers to gain unauthorised access to your website.

Look for malicious PHP functions on your website, such as:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

Multiple backdoors can be left by the WP hacked redirect malware. It’s a real pain to manually locate them all. Again, we strongly advise you to instal MalCare right away.

Part 3: Remove Any Unknown Admin Accounts

Of course, this assumes that you have access to your WordPress dashboard, but if you do, follow these steps:

  • Head over to Users
  • Scan for any suspicious admins and delete them
  • Reset the passwords for all admin accounts
  • Go to Settings >> General
  • Disable Membership Option for ‘Anyone can register’
  • Set Default Membership Role to ‘Subscriber’

You can also change your WordPress Salts and Security Keys for good measure.

Because of these fake admin accounts, hacked redirect issues in your WordPress site will persist even after a cleanup.

Part 4: Scan Plugin Files

The plugins can be tested in the same way that the WordPress core files were. To get the original plugins, go to WordPress.org and download them. Then, for all plugin files, run the diffchecker again to find the WordPress hacked redirect malware.

Yes, this is inconvenient. But, even more importantly, this is a very restricted option. It’s possible that the vulnerability will not be addressed by a plugin update.

That’s not cool.

Part 5: Scan and Clean Your Database

This is most likely the most difficult aspect of removing WordPress hacked redirect malware from your site.

But it’s coming to an end.

Scanning for backdoors is close to scanning the database.

For example, look for the following keywords:

  • <script>
  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

However, if you successfully cleaned your site manually, send us a call. At the very least, we’d like to recruit you!

And believe us when we say it’s not just you if you give up halfway through the manual WordPress hacked redirect cleanup. One of the most difficult hacks to address is the WordPress hacked redirect problem.

Simply run MalCare for 60 seconds to clean up your site and get back to your life.

The remainder of this article discusses how you were hacked in the first place, as well as the various types of WordPress hacked redirect issues.

Please feel free to read through it all to get a deeper understanding of this malware. It will be beneficial to you in the long run.

Why is the Malicious Redirects Issue so Bad?

The main explanation for the severity of malicious redirects is that site owners are rarely the first to notice an outbreak. If site owners are fortunate, visitors will give them emails asking why their websites redirect to shady-looking pages with dubious goods, or why they don’t seem to be the same as the original website.

If they’re unlucky, they’ll learn about it via social media or Google Search Console, since Google would inevitably blacklist an infected website.

In either case, no one wants to be in their place. Install a high-quality security plugin to prevent infection. It is the most effective way to safeguard the website and its users from the dangers that lurk on the Internet.

Another factor malicious redirects are so, well, malicious is that they come in such a wide variety of flavours. Here are some of the things that might happen to a website visitor:

hack-types-and-symptoms.

How to Prevent Malicious Redirects in the Future

Prevention is easier than cure, as the old adage goes. The explanation for this is that once a disease (in this case, malware) has taken root, it spreads rapidly and viciously through its host. The longer a website is corrupted, the more data is stolen, the more users are targeted, and the owner—you—ends up losing more money.

Having a stable website with a powerful firewall is the key to avoiding malicious redirects. You should take the following security precautions:

  • Install MalCare, a security plugin that includes a powerful scanner as well as a firewall. Since it incorporates prevention, screening, and washing, it is considered triple security.
  • Make sure your themes and plugins are up to date: This is the bare minimum you can do, because most themes and plugins patch security flaws in their updates, as you can see in the linked post.
  • Do not use themes or plugins that have been pirated. Get rid of them if you have them. The money saved by using them is not worth the money lost as a result of using them.
  • Make good login credentials a requirement for your users.
  • Use the least rights concept to manage WordPress permissions.
  • Since hackers attack your login page more than any other page on your website, you can protect it. Here’s a quick reference: How to Keep Your WordPress Admin Secure.

There are a few simple steps you can take to improve the security of your website. There are also steps you can take to harden your website. The majority of these are included with MalCare, so installing it now is the simplest way to protect your website.

How Your Website Can Get Infected by WordPress Redirect Malware

Your WordPress account can be hacked in a variety of ways, just like any other malware. Let’s take a look at a couple of the more common ones.

Unsecured Accounts with Privileges

Make sure you only give admin access to people you completely trust. In reality, responsible website ownership entails granting all accounts the bare minimum of privileges. Keep in mind that yours isn’t the only website that people visit. If their email addresses or login credentials are stolen from another website, you might be in big trouble.

Vulnerabilities in Themes and Plugins

Remove any plugins or themes you aren’t using right now. Examine the themes and plugins you’re using and conduct an audit on a regular basis. Examine developer pages and read updates on newly discovered flaws. Make sure they’re still up to date, as developers will release security patches for their devices.

This is another justification to use paid plugins where the code is actively maintained by the developers. We have developed a robust security plugin by constantly maintaining a threat database at MalCare because we analyse so many websites in the course of our work. Install it right now and relax.

Infections Through XSS

Cross-site scripting is the most popular way for hackers to infect the website with hacked redirect malware, since it is the most common vulnerability on the internet. This type of attack works by injecting malicious JavaScript code into your website.

Javascript may usually be added in the head> or just before the /body> tag in most plugins and themes. This is commonly used to provide tracking and analytics code for Google Analytics, Facebook, Google Search Console, Hotjar, and other similar services.

One of the most difficult places to look for redirect links on a website is in the Javascript. To make it even more difficult, hackers can translate the redirection URL into a string of ASCII characters. In other terms, the malware would change the term “pharma” to “112 104 097 114 109 097,” rendering it unreadable to humans.

The following are some of the most common plugins with known XSS flaws:

  • WP GDPR
  • WP Easy SMTP
  • WordPress Live Chat Support
  • Elementor Pro

The list runs in the thousands though, because XSS vulnerabilities can take many forms.

Malicious Code In .htaccess Or wp-config.php Files

Two of the most popular targets for hackers are the.htaccess and wp-config.php files.

Pharma Hacks are known for inserting malicious code into these files.

Pro tip: If you’re looking for malicious code in one of these files, scroll to the right as far as you can. It’s possible that the malicious code is hidden to the far right, where you wouldn’t expect to find it!

For the best performance, double-check all of the WordPress core files, including functions.php, header.php, footer.php, wp-load.php, and wp-settings.php.

Ghost WordPress Admins

Once a hacker has compromised your website with a fake favicon or other malicious PHP, they can build Ghost Admins to gain access to it whenever they want.

They will keep infecting your website with WordPress hacked redirect malware as many times as they like this way.

Oh, no.

Third-party services

It’s likely that malicious code will be shown to your guests if you use advertisements or other third-party services on your website. Some ad publishers are sloppy with the advertisements they serve, or malicious content could have slipped through the cracks. In this case, the website will be harmed.

It’s crucial to vet the publisher network and search your websites for redirect ads from an incognito browser on a regular basis. It’s also a good idea to refresh a few times because advertisements are often cycled through online properties.
It’s critical to keep your website infection-free, and staying vigilant is key. Be sure to scan your website on a regular basis before someone else finds a redirect hack.

So, what do you do now?

Take precautions.

Stop using plugins that have documented flaws before they release an upgrade. Nulled themes and plugins should be avoided. Stop using old WordPress templates, plugins, and archives.

Install a malware prevention plugin for WordPress, such as MalCare, to keep your site safe from future attacks.

WordPress hardening may be used as an additional protection measure.

The presence of WordPress redirect malware on your website may indicate the presence of popular hacking techniques such as Japanese keyword hacking, SQL injection attacks, phishing attacks, and SEO spam. If you’re interested, you can take a look at them.

That’s all there is to it for now.

We hope you were effective in cleaning up your website.

We’ll talk soon!