Security Tips

Malicious Redirect Hacks on WordPress: When Your Traffic Ends Up Somewhere Else

A redirect hack quietly sends your visitors to scam and malware sites. Learn where attackers hide the code, how to spot the infection, and how to clean it.

WPSentry TeamJuly 16, 20263 min read
Table of Contents 7 sections

What Is a Redirect Hack?

A malicious redirect hack is one of the most common WordPress infections. Malicious code is injected into your site so that visitors are automatically sent to a different website, typically a scam, a fake pharmacy, an adult site, or a page that pushes malware. Your traffic, your reputation, and your search rankings all get quietly stolen.

Why Redirect Hacks Are So Hard to Notice

The clever part of a modern redirect hack is that it is conditional. Rather than redirecting everyone, the malicious code inspects each visitor and only redirects certain people. It commonly checks:

  • Whether the visitor is logged in. Administrators are excluded, so the owner sees a normal site while visitors get redirected.
  • The referrer. Only visitors arriving from Google or another search engine are redirected, which maximizes damage while avoiding direct visits by the owner.
  • The device. Some hacks target only mobile users, who are less likely to report the problem.
  • A cookie. Each visitor is redirected only once, so a repeat visit looks fine.

These tricks are why an owner can swear their site works perfectly while customers complain they land on a spam page.

Where Attackers Hide the Code

Redirect malware rarely lives in just one place. Sophisticated infections spread across several locations so that cleaning one still leaves the site infected:

  • The .htaccess file, using rewrite rules that send matching visitors elsewhere.
  • wp-config.php, where injected PHP runs on every page load.
  • The theme functions.php, a favorite spot for a small redirect snippet.
  • The database, injected into the wp_options table, widget content, or individual posts.
  • Fake or modified plugins that look legitimate in the admin list.
  • JavaScript files, where obfuscated code runs the redirect in the browser.

How the Malware Got In

A redirect hack is the symptom, not the cause. The attacker got in first, almost always through one of these doors:

  1. An outdated plugin, theme, or WordPress core with a known vulnerability.
  2. A weak or reused admin password guessed through brute force or credential stuffing.
  3. A previously planted backdoor from an earlier compromise.

Cleaning the redirect without closing the entry point simply invites the attacker back.

How to Clean a Redirect Hack

  1. Take a backup first, even of the infected site, so you can investigate safely.
  2. Inspect .htaccess, wp-config.php, and theme files for unfamiliar rewrite rules or obfuscated PHP.
  3. Scan the database for suspicious entries in wp_options and injected content in posts.
  4. Replace core and plugin files with fresh copies from official sources.
  5. Remove unknown admin accounts and reset every password.
  6. Update everything and then find and patch the vulnerability that allowed entry.
  7. Request a review in Google Search Console if your site was flagged.

How to Prevent Redirect Hacks

  • Keep WordPress core, plugins, and themes updated.
  • Use strong, unique passwords and two-factor authentication.
  • Monitor file changes so injected code is caught quickly.
  • Restrict file editing from the dashboard and disable PHP execution in uploads.
  • Run regular external scans to catch a compromise early.

How to Detect a Redirect Hack

Our WordPress Security Scanner checks your site against blocklists and Google Safe Browsing, detects suspicious response behavior, and flags the outdated components that let redirect malware in. Run a free scan to check whether your visitors are being sent somewhere you never intended.

FAQ

Frequently Asked Questions

A redirect hack is a malware infection that automatically sends your visitors to a different, usually malicious, website. It often targets only some visitors, such as those arriving from search engines or using mobile devices, which makes it hard for the owner to notice.

Many redirect hacks are conditional. The malicious code checks whether the visitor is logged in, which device they use, or where they came from, and only redirects certain people. Attackers exclude logged-in admins so the site owner does not spot the problem.

Common hiding places include the .htaccess file, wp-config.php, the theme's functions.php, injected database rows in wp_options and post content, fake or modified plugin files, and malicious entries in the wp_posts table. Sophisticated infections spread the code across several locations.

Almost always through a known vulnerability in an outdated plugin, theme, or WordPress core, or through a compromised admin password. Once inside, the attacker injects the redirect code and often plants a backdoor so they can return.

Back up the site, then check .htaccess, wp-config.php, and theme files for injected code, scan the database for suspicious entries, replace core and plugin files with clean copies, remove unknown admin users, reset all passwords, and update everything. Then find and close the entry point so it does not return.

Tags

Related Posts