WordPress Redirect Hack

Many current WordPress hacks that I’m seeing are redirecting all visitors to a foreign domain. These “malware redirects” or “spam forwarding” are being used to send malvertising to all your website visitors.
This article looks at how this redirection occurs and what variations are possible. Because the redirects do not always occur on every visit (and are often deliberately hidden from admin users!), this type of hack may remain undetected for a long time.

One thing is certain: Remedial action must be taken urgently so that valuable traffic is not lost and your customers are not attacked.

If you don’t want to waste any time please contact me for immediate help.

Common Domain names actively used in WordPress redirects

stat.trackstatisticsss.com

sferverification.com

train.developfirstline.com

letsmakeparty3.ga

waterflowpick24.live

2.8mono.biz

dontstopthismusics.com

lobbydesires.com

blackentertainments.com

fox.trackstatisticsss.com

graizoah.com

asoulrox.com

ofgogoatan.com

stivenfernando.com

fast.destinyfernandi.com

check.resolutiondestin.com

dest.collectfasttracks.com

digestcolect.com

verybeatifulantony.com

gotosecond2.com

forwardmytraffic.com

crazytds.club

WordPress spam redirects – hiding places for the malware

In principle, automatic redirects can be placed in any file loaded by the WordPress system.
In addition, there are also frequent script injections directly into the database.
There are various hiding places for spam redirects that I’ve seen in the last months:

  • Javascript injections in PHP files (especially in theme and plugin files)
  • Javascript files, injected at the beginning of all JS files on server
  • Script injections in pages and articles (wp-posts database table)
  • URL of website (as set in wp-options database table) changed to hackers domain
  • Modified .htaccess files (often in many folders)
  • Via advertising networks (hacked ad servers)

In addition to the spam redirects there are always multiple backdoors added, and often several admin users are added to WordPress to allow the hackers full access even once the vulnerable plugins have been patched.

A partial list of vulnerable plugins being used

The vast majority of these attacks are targeted at vulnerabilities that were patched months or even years ago.  If you have any of these plugins installed in your website make sure you are using the latest secure updated !

  • Duplicator
  • Page Builder by SiteOrigin
  • ThemeGrill Demo Importer
  • Profile Builder
  • WP GDPR Compliance
  • Coming Soon and Maintenance Mode

How do I avoid these problems?

As with most WordPress attacks, the solution is to update all your plugins and WordPress core regularly.  Also make sure to remove (and not just deactivate) any plugins that are not required.

How to restore your website if you are infected

There are two ways to restore an infected website: by restoring a recent, clean backup or by removing all malware and backdoors that otherwise allow hackers to keep coming back.

  1. Restore a backup

Since these attacks generally infect 100 or even 1000 files as well as the database, the best recovery method is to delete the entire WordPress directory (make sure your backup is OK before doing this !!) and reinstall from a clean backup. Then also restore your database from a clean backup.

  1. Manually remove all malware and backdoors

If this is not possible you should contact a professional for help – with the right tools and knowledge the cleanup can be completed in 2-3 hours and your website can be put back online.

I can have your website clean, safe and online within hours for just US$110 (€99) – contact me now for immediate help!