How to Remove a WordPress Redirect Hack

A WordPress redirect hack occurs when attackers exploit vulnerabilities (usually in outdated plugins, themes, or weak server credentials) to inject malicious scripts or modify server configuration files. This forces your visitors to redirect to spam, phishing, or advertising sites. Here is the technical step-by-step process to locate and remove the infection.

1. Isolate the Site and Take a Backup

Before making any modifications, prevent further damage and preserve forensic data:

• Take a full backup of your files and database (even though they are currently infected). This ensures you have a recovery point if a cleanup step breaks site functionality.
• Put the site into maintenance mode or temporarily block public access via a 503 status code to protect your users and prevent search engines from indexing the spam redirects.

2. Inspect and Clean Server Configuration Files

Attackers frequently target .htaccess and wp-config.php to execute redirects before WordPress even loads.

Check .htaccess: Open your root .htaccess file. Look for unauthorized rewrite rules, especially those targeting specific user agents, referrers, or loading external files. A clean, default WordPress .htaccess should look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If you see unfamiliar domains, IP addresses, or complex rewrite conditions, delete them and replace the file with the clean default code above.

Check wp-config.php: Inspect the top of this file. Look for obfuscated PHP code, such as eval(base64_decode(...)) or highly long, minified strings of random characters. Remove any code injected before the opening <?php tag or immediately after it.

3. Audit the Database for Injected Scripts

Malicious redirects are often stored in the database, particularly in the wp_options, wp_posts, or metadata tables. Use phpMyAdmin or WP-CLI to run queries.

Verify Site URLs: Check the siteurl and home options in the wp_options table to ensure they point to your correct domain, not a spam URL.

Search for Injected Scripts: Run SQL queries to find script tags or common malicious patterns in your posts and options:

SELECT * FROM wp_posts WHERE post_content LIKE '%<script%';
SELECT * FROM wp_options WHERE option_value LIKE '%<script%';

Examine the results. If you find injected script tags pointing to external domains (e.g., <script src="http://spamdomain.com/bad.js">), edit the records to remove the malicious script tags.

4. Scan and Reinstall Themes and Plugins

The redirect script is often hidden within active theme files (like header.php, footer.php, or functions.php) or plugin directories.

• Verify Core Integrity: If you have SSH access, run WP-CLI to check for modified core files:

  wp core verify-checksums

• Reinstall Plugins: Delete your existing plugin directories (except custom plugins) and reinstall fresh copies directly from the WordPress repository.
• Check Active Theme: Inspect your active theme's functions.php and JS files. Look for hooks like wp_head or wp_footer executing raw Javascript or base64-encoded PHP. Replace the theme files with a fresh, clean download if possible.

5. Post-Cleanup Hardening

Cleaning the files is temporary if you do not patch the entry point. Complete these steps immediately after cleanup:

• Update all plugins, themes, and WordPress core to their latest versions.
• Generate new security keys (salts) in your wp-config.php file to force-logout all active sessions.
• Change passwords for all WP Admin accounts, FTP/SFTP accounts, database users, and hosting control panels.
• Set correct file permissions: 755 for directories, 644 for files, and 400 or 440 for wp-config.php.

Need this done? We handle this hands-on at GuardLabs — get in touch.