This blog post explains how to remove redirects in WordPress. To remove WordPress redirects you should know how do redirections work.
One common attack vector used against WordPress websites involves compromising files to cause the website to automatically redirect users to another location.
This kind of attack is called malicious redirection.
There are multiple ways to perpetrate malicious redirects in WordPress, including using a plugin, theme, or server-side intrusion.
This article will explain how this kind of attack works and will offer some tips for addressing it.
A hacker will employ a malicious redirection to redirect the visitors to your website to another location. Once they have been redirected, your visitors may be exposed to malware, advertising spam, or phishing attacks.
To perform a malicious redirection attack, the hacker must alter some of your WordPress website files. To be able to do so, they usually rely on the following techniques:
There have been many types of malicious redirect techniques used on WordPress websites. The most common include:
Every WordPress website has a .htaccess file located in the folder where WordPress was installed.
WordPress uses this file to change how the webserver deals with files. It is also used to create the pretty permalinks used by WordPress.
Hackers who gain access to your server can alter this file to add a malicious redirect. A redirect would send all visitors to another website.
Hackers might also add additional .htaccess files containing a malicious redirect in other locations like /wp-content or /wp-includes.
Malicious redirects are often found in PHP files within WordPress including index.php, header.php, footer.php, and functions.php.
Hackers target these files because they are executed often by WordPress.
Hackers might also modify the header.php file of your WordPress installation by using an encoded string and PHP’s eval() function.
Another common pathway for a malicious redirect to infect a site is by getting the website owner to unwittingly install a fraudulent plugin or theme.
WordPress highlighted one instance of this occurring via a plugin called ilovedc.
Upon installing this plugin, it would use the WordPress function insert_with_marker() to modify the site’s .htaccess file.
The fix for this type of attack was to delete the plugin and restore your website’s old .htaccess.
The malicious code can be recognized by the long hex-encoded strings it places in files. These sections of code look something like this:
It appeared that this particular attack typically begins with a brute-force attack on WordPress xmlrpc.php or login.php files. The hacker will attack the site until they gain access to the WordPress administration section.
Once the hackers are in the administration section, they will open the theme editor and change the 404.php file of the current theme.
They may also attempt to upload infected plugins and themes. Hackers would even add backdoors in other files to give themselves access to the website at a later date.
Weak passwords and cross-site contamination were primarily responsible for this kind of attack because they made brute force attacks simply to perform.
Fortunately, removing WordPress redirects is usually a simple process.
If a hacker has managed to gain access to your administration section, you will need to change the passwords for all WordPress users.
You will also have to ensure that no additional users have been added by the hacker. To be on the safe side, you should also generate new WordPress salt keys and passwords for FTP accounts, databases, and hosting accounts.
The presence of unexpected themes or plugins may indicate that your site has been compromised. Delete all of these files.
There are many third party tools which will scan your website to identify malware and compromised files. ThreatPress offers cleaning services and software to make the cleaning process easier.
There are a variety of plugins that will scan your WordPress system files to ensure they are correct.
These scanners will identify any malicious code that has been added to files like index.php, db.php, header.php, and footer.php.
There are multiple security plugins for WordPress that can scan and identify altered or infected WordPress core files.
If the problem persists, you can manually inspect the files that often contain this kind of attack. This includes your .htaccess files, index.php files, and db.php.
Patchstack can also help in manual malware removal, if you need additional help contact us at firstname.lastname@example.org.
If the problem still persists, revert to an older backup of your website.
If you do not have a backup of your website available, perform a complete reinstall of all WordPress files, plugins, and themes.
If Google has discovered malicious redirects on your website, Google may apply a penalty.
This penalty could range from a warning message that appears next to your website in the search engine results to a complete blacklisting of your website.
Once you have repaired your website, go to Google’s Search Engine Console and using the Remove URLs Feature to eliminate any references that Google has to the infected pages. You will then have to go to Search Traffic > Manual Actions and Request a Review of your website.
It’s important to take steps to ensure this attack does not happen again in the future. The following steps will substantially reduce the risk of another attack.
Make your passwords more complex so hackers are less likely to successfully use a brute force attack on your website. Your passwords should also be regularly changed.
We offer WordPress security that will help you to strengthen your WordPress by protecting your website from plugin and theme vulnerabilities.
Patchstack also includes the must-have virtual patching feature. If you don't have virtual patching yet learn what is here.
Patchstack also includes auto-updates for vulnerable plugins.
You can also install Theme Check, which tests your themes to ensure they are up to the latest theme review standards.
As much as possible, obtain your plugins from the official WordPress site. Don’t install plugins or themes unless you really need the functionality they provide. If you are not using a plugin or theme, delete it from your website.
WordPress themes and plugins do sometimes contain vulnerabilities that can be exploited by hackers. Keep them updated to minimize the risk of a vulnerability being present.
It’s essential to back up your website regularly so you can quickly recover from these kinds of attacks. Use a web host that offers free backups.
You should store your backups in at least three separate locations.
Some web hosts specialise in WordPress hosting and have automated tools that scan your WordPress installation for you.
These tools can identify malicious redirect attacks and remove them before they do any damage.