If your WordPress site has been hacked and is redirecting visitors to malicious or unwanted websites, it’s important to act quickly to minimize damage to your reputation and prevent further issues. This guide will walk you through identifying, cleaning, and securing your WordPress website to restore it to normal.
Step 1: Backup Your Website
Before making any changes, back up your website files and database. This step is crucial in case something goes wrong during the cleanup process. You can use tools like cPanel, phpMyAdmin, or WordPress backup plugins such as UpdraftPlus or All-in-One WP Migration. Ensure you store the backup files securely on your local system or in cloud storage.
Backing up your site includes:
• Database Backup: This contains all your posts, pages, user information, and settings.
• File Backup: This includes your WordPress core files, themes, plugins, and media uploads.
Step 2: Scan for Malware and Suspicious Activity
To identify the source of the redirect, you need to scan your website for malware.
Use Security Plugins
Install a reputable WordPress security plugin to perform a full malware scan. Popular options include:
• Wordfence Security: It can identify malicious files, unauthorized changes, and suspicious patterns.
• Sucuri Security: Provides a complete security suite and reports vulnerabilities.
• iThemes Security: Helps to identify potential threats and secure your site.
Manual File Inspection
If you prefer a manual approach, you can examine your files and database. Start by checking the directories most likely to contain malicious code:
• /wp-includes/
• /wp-admin/
• /wp-content/themes/
• /wp-content/plugins/
Use terminal commands to locate suspicious code or recently modified files:
find /path/to/wordpress -type f -mtime -30This command will list files modified in the last 30 days.
Search for common malware functions such as base64_decode, eval, or gzinflate:
grep -r --include=*.php "base64_decode" /path/to/wordpress
grep -r --include=*.php "eval" /path/to/wordpress
grep -r --include=*.php "gzinflate" /path/to/wordpressDatabase Inspection
Hackers often embed malicious scripts in the database to execute redirects. Inspect your WordPress database for unusual entries:
1. Log in to your MySQL database:
mysql -u username -p2. Use your database:
USE your_database_name;3. Check for malicious content:
SELECT * FROM wp_options WHERE option_value LIKE '%<script>%';
SELECT * FROM wp_options WHERE option_value LIKE '%eval(%';
SELECT * FROM wp_posts WHERE post_content LIKE '%<script>%';
SELECT * FROM wp_posts WHERE post_content LIKE '%base64_decode%';Step 3: Remove Malware
Clean Infected Files
• Delete unauthorized or unfamiliar files from your server.
• Replace WordPress core files by downloading a fresh copy from wordpress.org and uploading it to your server. Overwrite the /wp-admin/ and /wp-includes/ directories.
Replace Themes and Plugins
• Download fresh copies of your themes and plugins from official or trusted sources.
• Avoid using nulled or pirated themes and plugins, as they often contain hidden malware.
Clean the Database
Remove malicious entries detected in the previous step. For example:
DELETE FROM wp_options WHERE option_value LIKE '%<script>%';
DELETE FROM wp_options WHERE option_value LIKE '%eval(%';
DELETE FROM wp_posts WHERE post_content LIKE '%<script>%';
DELETE FROM wp_posts WHERE post_content LIKE '%base64_decode%';Step 4: Update Everything
After cleaning your site, update WordPress core, themes, and plugins to their latest versions. Updates often include patches for known vulnerabilities. Delete unused themes and plugins, as they can be potential entry points for hackers.
Step 5: Secure Your Website
Change Passwords
Reset passwords for:
• WordPress admin accounts
• FTP or hosting accounts
• Database users
Use strong passwords and consider enabling two-factor authentication (2FA) for added security.
Install a Security Plugin
Set up a security plugin to protect your site from future attacks. Configure firewall rules, set up login attempt limits, and enable file integrity monitoring.
Disable File Editing
Prevent unauthorized access to your theme and plugin files by disabling file editing in your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);Harden Permissions
Ensure file permissions are set correctly:
• Directories: 755
• Files: 644
• wp-config.php: 600
Use Secure .htaccess Rules
Add rules to your .htaccess file to block unauthorized access:
# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# Disable access to .htaccess
<files .htaccess>
order allow,deny
deny from all
</files>Step 6: Check Google Search Console
If your site has been flagged by Google for malware, log in to Google Search Console and check the “Security Issues” section. Once your site is clean, request a review to have the warning removed.
Step 7: Regular Maintenance
To keep your site secure:
• Schedule regular backups using plugins or automated scripts.
• Monitor your website for unusual activity using your security plugin.
• Keep all software updated.
Fixing a hacked WordPress site that redirects involves careful scanning, cleaning, and securing. By following these steps and implementing preventive measures, you can restore your site and reduce the risk of future attacks. If the problem persists or feels overwhelming, consider consulting a professional security expert for assistance.
