DEV Community


Posted on

WordPress - Hacked site redirections

The problem

I have encountered a project where the WP (WordPress) website was redirecting to some "ad" websites.

Identifying the problem

By debugging, from Google Chrome Sources panel with pause script execution, we identify the redirection occurring from a third party script injected in .php files inside the project.

Root cause

A plugin update Related Posts Plugin.

The WP admin updated the plugin after an update notice without knowing the plugin actually became a "malware" that highjacked websites.

Of course, the source code is not available from the plugin website so it is hard to check the integrity of code beforehand. And after checking the WP page of the plugin the status is This plugin was closed on March 30, 2019 and is no longer available for download., but the plugin owner has pushed an update on April 10, 2019 at around 7PM (Paris time) (Covering up the tracks?).

Fixing the problem

1) Plugin removal

Plugin removal might fix the problem only if it didn't affect external files to the plugin.

2) Cleaning by hand (unsafe)

In my case, the "malware" succeed to change files at ${ROOT}/wp-includes/. So I had to clean all the javascript injections "by hand".

3) Backup

If you have a backup of the database before the infection, I advise to delete the project and reinstall the project and feed backup.

Avoid plugin malware

  1. Never update plugins on production environment
  2. Do backup
  3. Check plugin source code before installing

Redirection malware third party link
Gist of similar malware
Plugin incriminating StackOverflow post
Related hacked problem

Discussion (2)

redserverhost profile image
Red Server Host

Thanks for sharing useful information!! I am really impressed to see that you have provided such an interesting information about WordPress.
I was struggling with the same issue since last 3 days and finally solved it. Anyways can you suggest me some better option to get cheap linux hosting other than
Thank you once again!!

blog profile image
Larson Reever

Hi Remi, very useful article though, its a widespread problem in 2019, i came to know about this from an article on WordPress redirect Hack which i read online, so thought to share it with you.