Back
WordPress redirects added by hacked

How To Detect And Remove WordPress Redirects Added By Hackers

Approximately 30% of Internet websites are running on WordPress, making it the world’s most popular content management system. Unfortunately, the incredible level of popularity enjoyed by WordPress has a significant downside — it makes the platform very attractive to hackers.

One common attack vector used against WordPress websites involves compromising files to cause the website to automatically redirect users to another location. This kind of attack is called a Malicious Redirection. There are multiple ways to perpetrate malicious redirects in WordPress, including using a plugin, theme or server-side intrusion. This article will explain how this kind of attack works and will offer some tips for addressing it.

How does a malicious redirection work?

A hacker will employ a malicious redirection to redirect the visitors to your website to another location. Once they have been redirected, your visitors may be exposed to malware, advertising spam, or phishing attacks.

To perform a malicious redirection attack, the hacker must alter some of your WordPress website files. To be able to do so, they usually rely on the following techniques:

  • Gaining access to your server, then updating or creating a file with a malicious redirects.
  • Getting you to install a rogue plugin that adds malicious code.
  • Getting you to install a rogue theme that adds malicious code.
  • Using exploits in Javascript files, plugins, themes, and WordPress itself to add malicious redirects.

What kinds of techniques are used to add malicious redirects?

There have been many types of malicious redirect techniques used on WordPress websites. The most common include:

1) Modifying the .htaccess website

Every WordPress website has a .htaccess file located in the folder where WordPress was installed. WordPress uses this file to change how the web server deals with files. It is also used to create the pretty permalinks used by WordPress. Hackers who gain access to your server can alter this file to add a malicious redirect. Redirect would send all visitors to another website.

Hackers might also add additional .htaccess files containing a malicious redirect in other locations like /wp-content or /wp-includes.

2) Modifying WordPress’s PHP files

Malicious redirects are often found in PHP files within WordPress including index.php, header.php, footer.php, and functions.php. Hackers target these files because they are executed often by WordPress. Hackers might also modify the header.php file of your WordPress installation by using an encoded string and PHP’s eval() function.

3) Installing a plugin or theme that changes other files

Another common pathway for a malicious redirect to infect a site is by getting the website owner to unwittingly install a fraudulent plugin or theme. WordPress highlighted one instance of this occurring via a plugin called ilovedc. Upon installing this plugin, it would use the WordPress function insert_with_marker() to modify the site’s .htaccess file. The fix for this type of attack was to delete the plugin and restore your website’s old .htaccess.

4) Infecting JavaScript files with malicious code

Another malicious redirect attack was identified in 2017. This attack injects malicious JavaScript code into every .js file it can find on your website.

The malicious code can be recognised by the long hex-encoded strings it places in files. These sections of code look something like:

WordPress redirects added by hackers 8

This code loads additional JavaScript files from a remote server. This new script then performs a malicious redirects.

It appeared that this particular attack typically begins with a brute-force attack on WordPress xmlrpc.php or login.php files. The hacker will attack the site until they gain access to the WordPress administration section.

Once the hackers are in the administration section, they will open the theme editor and change the 404.php file of the current theme. They may also attempt to upload infected plugins and themes. Hackers would even add backdoors in other files to give themselves access to the website at a later date.

Multiple copies of the JavaScript injector scripts would be added to files like index.php, dp.php, cache.php and 404.php. These injector scripts would continue to search for new .js files to infect with the malicious redirect.

Weak passwords and cross-site contamination were primarily responsible for this kind of attack because they made brute force attacks simply to perform.

Removing WordPress redirects added by hackers

Fortunately, removing WordPress redirects is usually a simple process.

1) Change your passwords and check registered users

If a hacker has managed to gain access to your administration section, you will need to change the passwords for all WordPress users. You will also have to ensure that no additional users have been added by the hacker. To be on the safe side, you should also generate new WordPress salt keys and passwords for FTP accounts, databases, and hosting accounts.

2) Remove any unexpected plugins and themes from the website

The presence of unexpected themes or plugins may indicate that your site has been compromised. Delete all of these files.

3) Scan your website with an appropriate tool

There are many third party tools which will scan your website to identify malware and compromised files. ThreatPress offers cleaning services and software to make the cleaning process easier.

4) Use a WordPress plugin to scan your files

There are a variety of plugins that will scan your WordPress system files to ensure they are correct. These scanners will identify any malicious code that has been added to files like index.php, db.php, header.php, and footer.php. Security and Monitoring plugin for WordPress can scan and identify altered or infected WordPress core files.

5) Manually inspect vulnerable files

If the problem persists, you can manually inspect the files that often contain this kind of attack. This includes your .htaccess files, index.php files, and db.php. This attack also appears in your theme’s header.php and footer.php files. Look for long encoded strings and javascript calls to remote websites.

6) Reinstall your WordPress files, plugins, and themes

If the problem still persists, revert to an older backup of your website. If you do not have a backup of your website available, perform a complete reinstall of all WordPress files, plugins, and themes.

7) Resubmit your website to Google

If Google has discovered malicious redirects on your website, they may apply a penalty. This penalty could range from a warning message that appears next to your website in the search engine results through to a complete blacklisting of your website. Once you have repaired your website, go to Google’s Search Engine Console and using the Remove URLs Feature to eliminate any references that Google has to the infected pages. You will then have to go to Search Traffic > Manual Actions and Request a Review of your website.

Ensuring this kind of attack does not happen again

It’s important to take steps to ensure this attack does not happen again in the future. The following steps will substantially reduce the risk of another attack.

1) Improve your passwords

Make your passwords more complex so hackers are less likely to successfully use a brute force attack on your website. Your passwords should also be regularly changed.

2) Install WordPress security software

We offer WordPress security plugin that will help you to strengthen your WordPress. This plugin will scan your WordPress core files and inform you of any unexpected changes. It also have Brute Force Protection and a variety of other security tools to keep your website safe.

3) Install a WordPress theme checking plugin

You can also install Theme Check, which tests your themes to ensure they are up to the latest theme review standards. This plugin can uncover malicious code in your theme’s Javascript, header.php, index.php, and footer.php files.

4) Never install plugins or themes from untrusted source

As much as possible, obtain your plugins from the official WordPress site. Don’t install plugins or themes unless you really need the functionality they provide. If you are not using a plugin or theme, delete it from your website.

5) Keep all themes and plugins updated

WordPress themes and plugins do sometimes contain vulnerabilities that can be exploited by hackers. Keep them updated to minimise the risk of a vulnerability being present.

6) Ensure your WordPress installation is regularly backed up

It’s essential to back up your website regularly so you can quickly recover from these kinds of attacks. Use a web host that offers free backups. You should store your backups in at least three separate locations.

7) Change to a web host that has better WordPress security

Some web hosts specialise in WordPress hosting and have automated tools that scan your WordPress installation for you. These tools can identify malicious redirect attacks and remove them before they do any damage.

For more articles on WordPress security, please subscribe to the site or follow us on social media.

Darius S.

Similar Posts

WordPress site hacked after restore

My WordPress website got hacked after restore. Again! Why?

Quite often we hear about the repeated security incidents related to WordPress sites. This is not something specific to WordPress sites, ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

WordPress / WooCommerce secure

Is WooCommerce Secure? Is WordPress Secure?

The WordPress and WooCommerce websites that we run and maintain can be potentially problematic when you consider that they’re not always ...

Leave a Reply

Your email address will not be published. Required fields are marked *