WordPress is an incredibly powerful and widely-used content management system, powering over 40% of websites on the internet today. However, its popularity also makes it a frequent target for hackers. One of the most common issues website owners encounter is a redirect hack—where visitors to your site are silently redirected to spammy or malicious websites. These redirections harm your brand’s credibility, affect SEO rankings, and eventually may lead to your website being blacklisted.
This step-by-step tutorial offers a comprehensive walkthrough to help users clean up these WordPress redirect hacks and implement best practices to prevent future attacks.
Step 1: Identify the Signs of a Redirect Hack
The first step in resolving the issue is recognizing signs that your WordPress website might have been compromised. These can include:
- Website redirecting to unknown or suspicious domains
- Google Chrome or other browsers marking your site as “not secure” or displaying a warning
- Drastic drop in SEO rankings or traffic
- Presence of unfamiliar users or plugins in the WordPress admin
To confirm a redirect hack, use tools like Sucuri SiteCheck or VirusTotal to scan your site for malware and unapproved redirects.
Step 2: Back Up Your Website Immediately
Before making any changes, it is crucial to take a complete backup of your WordPress site, including both files and database. This ensures you can recover your content if anything goes wrong during the cleanup process.
You can use backup plugins such as:
- UpdraftPlus
- BackupBuddy
- BlogVault
Step 3: Enable Maintenance Mode
To minimize the impact on users and signal that you’re making important updates, enable maintenance mode using plugins like WP Maintenance Mode. This helps prevent site visitors from experiencing redirects while you work on resolving them.
Step 4: Update Everything
Hackers often exploit outdated themes, plugins, and WordPress core files. Go to your WordPress dashboard and update the following:
- WordPress core
- All plugins
- Installed themes
If any themes or plugins are not being maintained by developers, it’s best to replace them with actively supported alternatives.
Step 5: Scan and Remove Malware
This is a crucial step in removing the redirect hack. Use trusted security plugins to scan your site:
- Wordfence Security
- Malcare
- Sucuri Security
These plugins will help you detect infections, including:
- Modified core files
- Obfuscated JavaScript injections
- Unauthorized admin users
- Fake plugins or themes
Step 6: Check .htaccess File
The .htaccess file is often a target because it controls how your server responds to requests. Navigate to the root directory via File Manager or FTP and inspect this file.
Look for suspicious redirect rules such as:
Redirect 301 / http://suspiciousdomain.com
If you’re unsure about the legitimacy of entries, you can temporarily replace it with the default WordPress .htaccess:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Step 7: Examine Themes, Plugins, and Uploads for Malicious Code
Hackers often hide malicious scripts inside theme and plugin files or even within images in the uploads folder.
- Check for files with suspicious names like function.php.bak, tmp.php, or plugin-update.php
- Look for base64 or eval() functions in PHP files
If you identify a plugin or theme as infected and it’s not essential, delete it altogether and reinstall a clean version from an official source.
Step 8: Reset Passwords and Check User Roles
Change your site’s login credentials including:
- Admin user passwords
- FTP/SFTP credentials
- Database access passwords
- Hosting account login
Also, go to Users in your WordPress dashboard and delete any unknown or suspicious accounts.
Step 9: Clean the Database
Redirect malware often injects malicious links or scripts into your WordPress database. Use phpMyAdmin to search for suspicious entries in tables like wp_options, wp_posts, and wp_users.
Search for keywords like:
- iframe
- base64_encode
- eval
- gzinflate
Step 10: Submit Site for Google Review (If Blacklisted)
If your website was flagged by Google or browsers for malware or phishing, it is advised to request a review once you have confirmed that your website is clean.
You can request a review using Google Search Console.
Step 11: Strengthen Future Security
After you’ve cleaned up the site, the final step is prevention. Here’s how to boost your WordPress security going forward:
- Use a Security Plugin: Wordfence, iThemes Security, or Sucuri Firewall
- Enable Two-Factor Authentication: Add an extra layer of login protection
- Limit Login Attempts: Prevent brute-force attacks
- Change Login URL: Use plugins like WPS Hide Login
- Perform Regular Backups: Automate using a plugin
Conclusion
Recovering from a WordPress redirect hack may seem daunting, but with a methodical approach, it’s entirely manageable. By diligently cleaning files, scanning for malware, and plugging security gaps, you not only regain control over your website but also prevent future attacks. The key takeaway lies in being proactive—maintain regular updates, monitor your site constantly, and treat security as an ongoing process rather than a one-time fix.
Frequently Asked Questions (FAQ)
Q1: What causes WordPress redirect hacks?
A redirect hack is typically caused by vulnerabilities in outdated plugins, themes, compromised login credentials, or poor server security.
Q2: Will restoring from backup help remove the redirect?
Yes, but only if the backup was made before the infection occurred. Otherwise, you might restore the malware along with your files.
Q3: How do I know if my site is still infected?
You can use tools like Sucuri SiteCheck, Wordfence, or Google Search Console to regularly scan and verify the state of your website.
Q4: Can I fix a redirect hack without technical knowledge?
While basic steps can be handled using plugins, deeply infected sites may require expert help from professional malware removal services.