How to Fix a WordPress Redirect Hack (Step-by-Step Guide)

Key Takeaways

• Manual malware removal requires deleting hidden scripts from core files, but a single mistake can break your site or miss hidden backdoors entirely.
• Security plugins are safer than manual editing but drain server resources and cannot help if the hack locks you out of your wp-admin dashboard.
• Automate the entire cleanup at the server level with Cloudways Malware Protection to instantly remove threats for just $4/month per application.

As a WordPress website owner, you expect your links to take visitors exactly where they intend to go. Finding out that your site is suddenly forcing them to an entirely different webpage is a massive problem.

A wordpress redirect hack is one of the most damaging things that can happen to a site, immediately tanking your SEO and destroying visitor trust.

The solution is to track down the malicious script hidden inside your server files or database and remove it. Once you do that, the forced rerouting stops and you regain control over your traffic.

In this guide, we’ll tell you what a WordPress redirect hack is, explain how to clean up the infection manually, discuss the risks of editing code yourself, and then show you an automated way to fix the issue using Cloudways Malware Protection Addon.

What is a WordPress Redirect Hack?

A WordPress redirect hack is a cyberattack where malicious scripts are injected into your website to forcibly reroute visitors from your intended pages to unauthorized third-party destinations.

When users click a link to your site, this hidden code hijacks their browser and instantly pushes them somewhere else. A real world example of this is the Balada Injector campaign. In that specific attack, hackers exploited vulnerabilities across over a million WordPress sites to steal traffic and push visitors to fake tech support scams.

Hackers execute these attacks to profit off your audience. They typically redirect your hard earned traffic to phishing sites built to steal credentials, adult content, or fraudulent ad networks that generate illegal revenue from your page views.

Fix Your WordPress Redirect Hack Automatically

Skip the risky manual code editing and database hunting. Automatically find and clean hidden redirect scripts at the server level with the Cloudways Malware Protection Add-on.

Learn More!

Common Signs Your WordPress Site is Redirecting to Spam

The malicious code usually remains hidden for as long as possible. The primary function is to reroute traffic quietly without alerting the site owner to the problem. If you start to notice your wordpress site redirecting to spam, you need to act quickly.

Here are the immediate symptoms to look out for in greater detail:

1. Direct Complaints from Your Visitors

The first warning often comes directly from your audience. You might receive emails, social media messages, or support tickets from frustrated clients stating that your website keeps redirecting to another site every time they try to click a link or read an article.

The unauthorized script is often configured to ignore logged in administrator sessions. This makes your regular visitors the front line of defense in spotting the infection.

2. Known Malware URLs Flashing in the Browser

When a forced redirect happens, the transition is rarely a straight jump from your site to the final destination. You might spot specific, recognized malicious domains flashing quickly in the browser address bar before the final spam page loads.

A frequent culprit is the shbzek.com virus or similar intermediary tracking URLs. These middleman domains intercept the user connection before pushing the visitor to the final destination (you can often spot these early by running a Sucuri site check).

3. Sudden Rerouting to Pharmaceutical Sales

You could be dealing with a wordpress pharma hack. This specific issue reroutes users to unauthorized pharmaceutical sales pages. It leverages your domain’s existing SEO authority to bypass search engine filters and display these products to your audience.

4. Strange Behavior Specific to Mobile or Search Traffic

The scripts are frequently written to only trigger under very specific conditions. The unauthorized rerouting might only happen on mobile devices or exclusively for visitors arriving directly from a Google search. The code relies on conditional logic to function this way.

If you check your site by typing the URL directly into your desktop browser, everything looks perfectly fine. This tactic ensures the site owner stays completely unaware while the organic search traffic is silently rerouted.

How to Implement a WordPress Redirect Hack Fix (Manual Method)

Manual WordPress malware removal requires you to dig deep into your server configuration. The unauthorized code is almost never out in the open. Instead, it spreads across multiple directories and database tables to avoid detection.

If you feel comfortable editing your server files directly, here are the exact steps to locate and delete those hidden scripts.

Step 1: Inspect the .htaccess File

• The .htaccess file controls how your server handles incoming traffic. This makes it a primary target for server-level redirects.
• Connect to your site using an FTP client or your hosting file manager, then navigate to your website’s public root folder. In most hosting setups, this is public_html. On some hosts, it may be htdocs, www, or the folder where WordPress is installed. Open the .htaccess file there in a text editor, make your changes, and save the file.

• Look for strange redirect rules or unfamiliar URLs. In the example below, you can see malicious code designed to reroute mobile traffic placed right at the top of the file. If you see similar code pushing traffic away from your domain, delete those specific lines and save the file.

Step 2: Check Core WordPress Files

• Next, examine your core WordPress files. You need to pay special attention to wp-config.php and index.php. The hidden script often looks like a massive block of random text. This is a technique known as base64 encoding used to obscure the actual destination URL.
• In the first example below, you can see an obfuscated string of malicious code injected right at the top of the configuration file.

• Alternatively, attackers will use hidden includes to quietly load malware disguised as normal site assets. In the second example, malicious code inside index.php is forcing the site to load a fake CSS file. Delete any unfamiliar blocks of code or suspicious file paths you find in these core files.

Step 3: Review the Database

• Sometimes the redirect code is injected directly into your database rather than your server files. Log into phpMyAdmin and run a search through your tables. You need to focus heavily on the wp_options and wp_posts tables.
• In the screenshot below, you can see a malicious JavaScript tag buried at the end of the content for a standard WordPress post. Look for unrecognized tags or unfamiliar URLs attached to your legitimate posts, pages, and site settings. Remove any unauthorized entries you find.

Step 4: Search Theme and Plugin Files

• Finally, inspect your active theme and plugin directories. The header.php and footer.php files within your theme are very common locations for JavaScript injections. Because these specific files load on every single page of your website, placing a script inside them ensures the rerouting triggers constantly.
• As shown in the example below, attackers frequently drop a rogue <script> tag right before the closing </head> tag in the header file. Review these files and strip out any unknown scripts.

The Risks of Manual Malware Removal

Trying to clean infected files by hand is a risky process. While the manual steps outlined above do work, they come with significant downsides that can easily make your situation worse.

Here are the core problems with editing your site code manually:

• Breaking your website: Core WordPress files and server configurations are highly sensitive. Deleting the wrong line of code in wp-config.php or .htaccess will instantly break the website. A single missing character can trigger the White Screen of Death, completely locking you out of the WordPress dashboard and taking your site offline entirely.
• Missing hidden backdoors: Finding the script causing the redirect is usually only half the battle. Attackers almost always leave hidden backdoors scattered throughout your directory structure. If you delete the main redirect code but miss a backdoor, the malware will simply regenerate the next day. This puts you in a frustrating loop where the infection keeps coming back.
• Wasting time and resources: Manually hunting for obfuscated code requires technical expertise and hours of dedicated effort. Searching line by line through database tables and core files extends your downtime and keeps your business offline much longer than necessary.

Because of these risks, digging through code by hand is rarely the most practical approach for a business owner trying to get back online quickly.

How to Fix a WordPress Redirect Hack Using a Plugin

If editing server files directly is out of your comfort zone, using a WordPress anti-malware plugin is the next logical approach. Plugins automate the search process right from your WordPress dashboard.

Here is how to use a standard security tool like Wordfence (or a reliable Wordfence alternative) to find and remove the unauthorized script.

Step 1: Install a Security Scanner

• Log into your WordPress admin area. Navigate to Plugins and click Add New. Search for Wordfence Security, install the plugin, and activate it.

• You will need to provide an email address to receive security alerts and get your free license key to complete the setup.

Step 2: Configure the Scan Settings

• When you scan your website for malware, you want to make sure the tool looks everywhere. Go to the Wordfence menu in your dashboard and click on Scan.

• Click on “Manage Scan” and select the “High Sensitivity” option. This ensures the plugin checks outside the standard WordPress installation folders for any hidden backdoors or unusual file modifications.

Step 3: Run the Malware Scan

• Return to the main scan page and click “Start New Scan.” The plugin will now compare your current core files, themes, and plugins against the official clean versions stored in the WordPress repository. It will also check your database for known malicious URLs and unauthorized script injections.

Step 4: Repair or Delete Infected Files

• Once the scan finishes, you will see a list of flagged items. Wordfence will highlight the specific files containing the redirect code.

• For core WordPress files, you can usually click a button to “Repair” the file, which strips out the unauthorized code and restores the clean original version.

• If the scan finds completely unrecognized files that do not belong on your server, you can select the option to delete them entirely.

The Limitations of Using Security Plugins

While using a plugin is significantly safer than manual code editing, it still relies on your WordPress application to function. This creates a few specific roadblocks during a severe infection.

• Dashboard lockouts: If the redirect script is configured to trigger immediately upon loading the login page, you simply cannot access your wp-admin area. If you cannot log in, you cannot install or run the plugin to fix the problem.
• Server resource drain: Deep malware scans require massive amounts of processing power. Running this intensive task directly from your WordPress backend can slow down your site for visitors or even crash a smaller server entirely.
• Application-level restrictions: Plugins operate entirely within the confines of WordPress. If the unauthorized code is hidden deeper at the server level, a standard plugin often lacks the necessary permissions to find or remove the root cause.

How to Automatically Fix the Redirect on Cloudways

Both the manual code editing and plugin-based methods come with significant drawbacks. Editing server files by hand puts you at risk of breaking your site, while standard security plugins become entirely useless if the malicious code locks you out of your WordPress dashboard.

To provide a safer and more reliable option, we built the Malware Protection add-on directly into the Cloudways platform. Powered by Imunify360, it operates at the server level rather than the application level.

This means you do not even need access to your wp-admin area to clear out the infection.

Here is how the add-on resolves complex redirect issues directly from your dashboard:

• Automated Malware Cleanup: Instead of hunting for obfuscated code or digging through file managers, the system scans your server environment to locate the malicious scripts. It automatically cleans the infected code, isolating the threat while keeping your legitimate site files intact.
• Deep Database Protection: Standard plugins often miss malicious code buried inside database tables. Our scanner digs directly into your WordPress database to eliminate these hidden threats and ensure comprehensive database security. It also scans for malicious cron jobs, closing a common backdoor that causes redirects to regenerate.
• Runtime Application Self-Protection (RASP): This feature actively monitors your web application. It identifies malware injections in real-time and blocks the unauthorized routing before the script can execute.
• Proactive Defense Events: To provide proactive security against zero-day attacks, this uses a real-time PHP script evaluation engine to analyze exactly what your PHP scripts are doing as they run. This stops brand-new, unknown threats that traditional signature-based scanners typically miss.

Using this built-in tool bypasses the need to edit sensitive core files yourself and speeds up the recovery process.

How to Enable the Automated Cleanup

Activating the add-on takes just a few clicks, and the initial scan runs entirely in the background without impacting your site’s performance.

Step 1: Navigate to Application Security

Log into your Cloudways platform, select your server, and click into your specific application. From the left-hand management menu, click on Application Security and select the Malware Protection tab.

Step 2: Activate the Scanner

Click the Enable Protection button. This instantly turns on real-time monitoring and triggers a comprehensive, automated scan across your web directories and your WordPress database.

Step 3: Monitor Your Dashboard

Once the add-on is active, you can monitor threats and automated cleanup actions through three simple tabs:

• Malicious: This lists any isolated threats. It shows the exact file path or database table where the redirect code was found and confirms the action taken (Cleaned, Quarantined, or Removed).
• Scan History: Here, you can review a complete log of all past automated scans or click “Start Scan” to trigger an immediate on-demand check.
• Proactive Defense: This is your runtime protection log. It details any zero-day events where malicious PHP scripts were blocked from executing.

How to Prevent Future Malicious Redirects

To ensure the redirect doesn’t return, you need to close the vulnerabilities that allowed the injection in the first place and strengthen your overall website security.

Here is how to secure your WordPress environment against future attacks.

1. Keep Your Software Updated

Outdated plugins and themes are the most common entry points for malware. Developers regularly release patches for known vulnerabilities, and delaying these updates leaves your site exposed. To streamline this workflow and avoid breaking your live site, you can use Cloudways SafeUpdates to automatically test, backup, and apply these critical patches.

2. Remove Inactive Plugins and Themes

Unused software still resides on your server, providing attackers with unnecessary targets. Even if a plugin is deactivated, a known vulnerability within its code can still be exploited. If a plugin or theme is not actively serving a purpose, delete it completely to reduce your site’s vulnerability footprint.

3. Avoid Nulled Software

Pirated or “nulled” premium plugins and themes are frequently modified to include hidden backdoors and malware before they are distributed. Installing them compromises your site from day one. Always source your software directly from the official WordPress repository or verified developers.

4. Enforce Strong Passwords and 2FA

Advanced server security cannot protect a site if an attacker simply logs in with compromised administrator credentials. Require complex, unique passwords for all user accounts and enable Two-Factor Authentication (2FA) to strictly secure your wp-admin dashboard.

5. Utilize a Secure Hosting Environment

Your hosting provider plays a critical role in filtering malicious traffic. A secure platform like Cloudways provides built-in, server-level protections like a Web Application Firewall (WAF) and bot mitigation to block automated attacks and unauthorized login attempts before they reach your WordPress application.

Wrapping Up!

A WordPress redirect hack severely damages your site’s reputation and steals your organic traffic. While you can attempt to hunt down the malicious code manually or rely on standard security plugins, both methods come with significant drawbacks.

Manual editing puts your core files at risk, and application-level plugins become useless if the malware locks you out of your dashboard.

The most reliable way to clear an infection is to handle it at the server level. Rather than paying hundreds for a one-time website malware removal service, the Cloudways Malware Protection add-on automates the entire cleanup process starting at just $4/month per application.

It scans your database and files, neutralizes the threat, and actively blocks future attacks before they execute. By enabling this built-in tool and keeping your software updated, you can permanently protect your WordPress site from malicious redirects.