Many current WordPress hacks that I’m seeing are redirecting all visitors to a foreign domain. These “malware redirects” or “spam forwarding” are being used to send malvertising to all your website visitors.

This article looks at how this redirection occurs and what variations are possible. Because the redirects do not always occur on every visit (and are often deliberately hidden from admin users!), this type of hack may remain undetected for a long time.

One thing is certain: Remedial action must be taken urgently so that valuable traffic is not lost and your customers are not attacked.

Update: 02/03/2021: There are still a lot of redirect attacks going on – mainly because of the same problems due to insecure plugins and missing updates!

If you don’t want to waste any time, and want to protect your website visitors please contact me for immediate help.

Common Domain names actively used in WordPress redirects

WordPress spam redirects – hiding places for the malware

In principle, automatic redirects can be placed in any file loaded by the WordPress system.
In addition, there are also frequent script injections directly into the database.
There are various hiding places for spam redirects that I’ve seen in the last months:

  • Javascript injections in PHP files (especially in theme and plugin files)
  • Javascript files, injected at the beginning of all JS files on server
  • Script injections in pages and articles (wp-posts database table)
  • URL of website (as set in wp-options database table) changed to hackers domain
  • Modified .htaccess files (often in many folders)
  • Via advertising networks (hacked ad servers)

In addition to the spam redirects there are always multiple backdoors added, and often several admin users are added to WordPress to allow the hackers full access even once the vulnerable plugins have been patched.

A partial list of vulnerable plugins being used

The vast majority of these attacks are targeted at vulnerabilities that were patched months or even years ago.  If you have any of these plugins installed in your website make sure you are using the latest secure updated !

  • Duplicator
  • Page Builder by SiteOrigin
  • ThemeGrill Demo Importer
  • Profile Builder
  • WP GDPR Compliance
  • Coming Soon and Maintenance Mode

How do I avoid these problems?

As with most WordPress attacks, the solution is to update all your plugins and WordPress core regularly.  Also make sure to remove (and not just deactivate) any plugins that are not required.

How to restore your website if you are infected

There are two ways to restore an infected website: by restoring a recent, clean backup or by removing all malware and backdoors that otherwise allow hackers to keep coming back.

  1. Restore a backup

Since these attacks generally infect 100 or even 1000 files as well as the database, the best recovery method is to delete the entire WordPress directory (make sure your backup is OK before doing this !!) and reinstall from a clean backup. Then also restore your database from a clean backup.

  1. Manually remove all malware and backdoors

If this is not possible you should contact a professional for help – with the right tools and knowledge the cleanup can be completed in 2-3 hours and your website can be put back online.

I can have your website clean, safe and online within hours for just US$149 (€129) – contact me now for immediate help!