Key takeaways
- Table of Contents
- Understanding malicious redirects
- Why your visitors are being redirected
Understanding malicious redirects
Malicious redirects are one of the most common and visible symptoms of hacking. According to Sucuri's Q2 2024 report, redirects account for 32% of all malware infections detected on WordPress. These attacks are particularly frustrating because they directly affect your visitors' experience and can damage your site's reputation with search engines.
This type of attack is particularly dangerous because:
- It's immediately visible: Your visitors notice the problem and leave your site
- It destroys your reputation: Visitors associate your brand with malicious sites
- It affects your SEO: Google penalizes sites that redirect to dangerous content
- It spreads malware: Destination sites can infect your visitors' computers
In 2024, malicious redirects affected approximately 15 to 20% of hacked WordPress sites. Attackers inject code into your site to redirect your visitors to dangerous pages, stealing your traffic and reputation. Even worse, Google may blacklist your site if malicious redirects are detected.
Why your visitors are being redirected
Malicious redirects aren't an accident — they're the result of a deliberate compromise of your site. Here are the main causes:
1. Compromised .htaccess file
This is the most common method. The attacker adds rewrite rules to your .htaccess file to redirect visitors.
- Mechanism: Adding
RewriteRulerules that intercept requests - Target: All visitors, or only search engine visitors
- Detection: Examine your .htaccess file content
The injected code often looks like:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yoursite\.com$
RewriteRule ^(.*)$ http://malicious-site.com/$1 [L,R=301]2. JavaScript injected into pages
Malicious scripts are added to your theme files or posts.
- Mechanism: Injecting
<script>tags in the header or footer - Target: All visitors or only mobile visitors
- Detection: Check your pages' source code
These scripts often detect the user's browser and redirect them to a different site, sometimes ignoring Google bots to avoid detection.
3. Compromised plugin or theme
A plugin or theme with a security vulnerability has been exploited.
- Mechanism: Malicious code embedded in the plugin/theme itself
- Target: Varies depending on the compromised plugin
- Detection: Scan your plugins with a security tool
4. Injected database
Redirects are stored directly in WordPress database options.
- Mechanism: Modifying
siteurl,homeoptions or adding new options - Target: Varies depending on the modified option
- Detection: Examine the
wp_optionstable in phpMyAdmin
5. Backdoor with conditional redirect
The attacker planted a backdoor that activates redirects based on specific conditions.
- Mechanism: PHP that checks the browser, IP, or referrer
- Target: Often only Google bots (for SEO spam)
- Detection: Requires expertise to identify hidden backdoors
Types of malicious redirects
Understanding the redirect type helps you find and remove the source:
Server-side redirects
| Type | Modified file | Visibility |
|---|---|---|
| .htaccess | .htaccess |
Visible via FTP |
| PHP header() | Various PHP files | Hidden in code |
| Meta refresh | PHP or HTML files | In the <head> |
Client-side redirects
| Type | Mechanism | Detection |
|---|---|---|
| JavaScript redirect | window.location or location.href |
In source code |
| Hidden iframe | <iframe> with display:none |
In source code |
| Inline script | Script injected in content | In source code |
How to identify the source
Before you can remove redirects, you must find their source. Here's the methodology:
Step 1: Examine the source code
- Open your site in Chrome or Firefox
- Right-click → "View Page Source"
- Search for these suspicious elements:
<script>with unknown URLswindow.locationorlocation.hrefpointing to another domain<iframe>withdisplay:noneorwidth="0"meta http-equiv="refresh"with an external URL- Base64-encoded code (
eval(base64_decode(...)))
Step 2: Check the .htaccess file
- Connect via SFTP
- Download the
.htaccessfile from your site root - Open it with a text editor
- Search for suspicious rules:
# Example of malicious rule:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.*
RewriteRule ^(.*)$ http://malware-site.com/redir [R=301,L]Step 3: Scan your files
- Use Wordfence or Sucuri to scan all files on your site
- Look for recently modified files
- Check
wp-content/uploads/andwp-content/themes/folders - Examine plugins for suspicious code
Step 4: Check the database
- Connect to phpMyAdmin
- Examine the
wp_optionstable for suspicious URLs - Check
siteurlandhomeoptions - Search for entries containing base64-encoded code
Step 5: Use online tools
- Google Safe Browsing:
transparencyreport.google.com/safe-browsing/search - VirusTotal: Multi-engine analysis of your URL
- Sucuri SiteCheck: Free online malware scanner
Steps to remove redirects
Once the source is identified, here are the cleanup steps:
Step 1: Back up your site
Before any intervention, create a complete backup of your files and database. If something goes wrong, you can restore to the current state.
Cleaning the .htaccess file
- Download a copy of the .htaccess file
- Remove all suspicious rules
- Replace the content with the standard WordPress .htaccess:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress- Reupload the file to the server
- Verify your site works correctly
Cleaning PHP files
- Identify files containing redirect code
- Remove malicious lines (or restore original files)
- Check the theme's
header.php,footer.php, andfunctions.php - Examine plugins for code injections
Reinstall WordPress core
Go to Dashboard → Updates → Re-install to replace all corrupted WordPress files with clean versions.
Change all passwords
Immediately change:
- Your WordPress administrator password
- Your database password
- FTP/SSH passwords
- Authentication keys in
wp-config.php
Database cleanup
If redirects are stored in the database, here's how to clean them:
WordPress options to check
- Connect to phpMyAdmin
- Select your WordPress database
- Open the
wp_optionstable - Check these critical options:
| Option | Expected value |
|---|---|
siteurl |
Your domain URL (e.g., https://yoursite.com) |
home |
Your domain URL (same as siteurl) |
template |
Name of your active theme |
stylesheet |
Name of your active theme |
Searching for injected code in posts
- Run this SQL query in phpMyAdmin:
SELECT * FROM wp_posts WHERE post_content LIKE '%eval(%' OR post_content LIKE '%base64_decode(%' OR post_content LIKE '%http-equiv%refresh%';This query searches for posts containing potentially malicious code. You can also use a plugin like Advanced Database Cleaner for more thorough cleanup.
Cleaning malicious options
- Delete options you didn't create
- Replace suspicious URLs with your legitimate URLs
- Delete entries containing base64-encoded code
- Check widgets and menus for injected content
Preventing future infections
After cleanup, you must secure your site to prevent the problem from recurring:
Immediate security
- Change all passwords: WordPress, FTP, database, hosting
- Update everything: WordPress, all themes, and all plugins
- Remove unused plugins/themes: Fewer components = fewer vulnerabilities
- Install a firewall: WAF to block future attacks
Long-term security
- Regular scanning: Perform weekly security scans
- Automatic backups: Daily backups stored off-server
- Monitoring: 24/7 file modification surveillance
- 2FA: Two-factor authentication for all administrators
- Automatic updates: Enable automatic minor updates
- File permissions: Set proper permissions (644 for files, 755 for directories)
Protect the .htaccess file
- Add these lines to your .htaccess to protect it:
<Files .htaccess>
order allow,deny
deny from all
</Files>- Enable file change notifications on your server
- Regularly check your .htaccess content
When to call a professional
Some scenarios require professional expertise:
Call an expert if:
- Redirects return after cleanup
- You can't find the compromise source
- Your site is on Google's blacklist
- Backdoors persist despite your cleanup efforts
- You're not comfortable with file or database manipulation
Why an expert is necessary:
- Hidden backdoors: Sophisticated attackers plant backdoors that return after each cleanup
- Multiple infections: Your site may have multiple simultaneous compromise points
- Root cause: Without understanding how the intrusion occurred, the problem will recur
- Advanced tools: Professionals have scanners and tools that individuals don't
- Detailed report: An expert provides a complete report of actions taken
Redirects persist on your site?
Our specialized team identifies and removes all sources of malicious redirects, including hidden backdoors.
Protect your site from malicious redirects
WpDefender monitors your site 24/7 to detect and block redirect attempts before they reach your visitors.
📞 Emergency: call us directly · ⏱️ Cleanup in under 30 min