Skip to content

Examples of WordPress redirect hacks and how to deal with them

Increasing cases of falsification are redirected to fake Windows virus removal pages and PC repair pages only when the site is accessed via Google.
This time, we will deliver the explanation and countermeasures of this case.

Examples of WordPress site redirect hack

The following incorrect behavior appears on the site:
● Only when you jump to the site from the search results, you are forced to jump to a different site from the intended page
● The above may force audio to flow on sites that prompt users to remove Windows viruses or recover PCs.
● Not always appearing, only once, or at random probability

What kind of code are embedded in the site?

A recent redirect hack trend is to load malicious JS files into the site. This JS file is executed when the page is loaded, and code that redirects the user to another site with a random probability.
For example, the following code will be inserted after the post link:

<script src="http://XXXX/jquery.js"></script>

If your site redirects on a search result visit, make sure that there are no malicious scripts embedded in the post.

In addition, the theme file header.php and footer.php may have been tampered with so that invalid JS is loaded on every page.
Example of falsification of header file

How are hackers tampering with the site?

How do hackers perform such tampering? The most common case is falsification of files from the management screen by taking over administrator privileges. Once the administrator authority is taken, the backdoor can be embedded by tampering with the file from the management screen. Hackers can repeat tampering as many times as possible through the back door.

Example of backdoor code

The above code contains the obfuscated POST and GET code that receives information via the browser and the Evel process that converts the received information into an executable program.

There are often two main ways to take over administrator rights.

(1) Take over administrator rights by exploiting vulnerabilities in WordPress and plug-ins
(2) From the login screen, log in with the software tens of thousands of times, assign a password, and take administrative authority

In the case of (1), security is improved by keeping the latest version of WordPress and plug-ins. In the case of (2), You can prevent it with login lockdown function that prohibits login for a few minutes if login fails to a certain extent, change the URL of the login page, and change passwords that contain 12 or more alphanumeric characters and symbols.

Special case of redirect hack

There are cases where the site has been invaded by redirect hacks even though WordPress and plug-ins are officially used and not tampered with.

● A plug-in distributed on the official website contains a falsification code
● A redirect hack is included in the external advertisement delivery Javascript code.
● Computers and smartphones viewing the site are infected with a virus

What to do if you are already hacked

Please note that if the site has already been tampered, updating the WordPress itself or plug-in will not erase the backdoor, other tampered files, and tamper embedding in posts.
Also, once administrative privileges have been taken, hackers will again invade through the backdoor.

Please check bacldoor and malware by using our free plugin.

WordPress Doctor Malware Scan & Security Plug-in