WordPress Site Was Hacked and Redirecting Visitors — Here’s Exactly How I Fixed It

Your WordPress site is redirecting visitors to a spam page, a phishing site, or somewhere completely unrelated to your business. You noticed it on your phone, or a client called you. Your heart sank.

This is one of the most common WordPress attacks — and it is fixable without paying $300 for a cleanup service. This guide walks through exactly how I diagnose and remove WordPress redirect malware, the same process I follow for clients who come to me in a panic. By the end, you will know what caused it, how to clean it, and how to make sure it does not happen again.

What Is WordPress Redirect Malware?

WordPress redirect malware is malicious code injected into your site that silently sends your visitors — or search engine crawlers — to a different website. You usually see the real URL in your browser’s address bar for a split second before it bounces somewhere else.

The redirect often targets only certain visitors: mobile users, visitors coming from Google search, or first-time visitors. If you visit your own site directly from your bookmark, you may see nothing wrong — which is exactly why so many site owners don’t catch it for weeks.

The malicious code can live in multiple places simultaneously: your theme files, your plugins, your database, your .htaccess file, or even injected directly into WordPress core files.

How to Confirm Your Site Is Infected

Before doing anything, confirm what you are dealing with.

Check 1: Google Search
Search for your site on Google: site:yourdomain.com. If Google shows pages with titles or descriptions full of spam keywords (Viagra, casino, fake Louis Vuitton), the redirect malware has modified your content enough for Google to index it.

Check 2: Google Search Console
Log into Google Search Console. Go to Security & Manual Actions → Security Issues. Google often detects and flags redirect malware before you notice it yourself.

Check 3: Browse as a logged-out user on mobile
Open an incognito tab on your phone and visit your site directly. Redirect malware frequently targets only non-logged-in mobile users — not site administrators.

Check 4: Use a remote scanner
Run your site through Sucuri SiteCheck (free). It crawls your site externally and flags known malware signatures, blacklist status, and suspicious redirects. This does not scan your server files — it only sees what a visitor would see — but it is a fast first signal.

Check 5: Check your browser’s Network tab
In Chrome, open DevTools → Network tab, then visit your site. Look for any unexpected redirect (301 or 302) in the waterfall to an external domain you do not recognise.

How Hackers Got In: The 3 Most Common Entry Points

Understanding how they got in matters — because if you clean the malware without closing the entry point, they will be back within days.

1. Outdated plugins or themes

The vast majority of WordPress hacks exploit known vulnerabilities in outdated plugins. A plugin that has not been updated in six months may have a publicly disclosed vulnerability that automated scanners actively probe for. This is the most common entry point by far.

2. Compromised admin credentials

Weak passwords, reused passwords from other breaches, or no two-factor authentication. Brute-force bots run 24 hours a day against WordPress login pages. Once they are in as an admin, they can install whatever they want.

3. A compromised hosting environment

If you share hosting with other sites, a vulnerability in a neighbouring site can sometimes be used to access your files — especially on cheap shared hosting where file permissions are not properly isolated.

Step-by-Step: How to Remove WordPress Redirect Malware

Work through these steps in order. Do not skip ahead — redirect malware is often injected in multiple locations at once, and missing one leaves the door open.

Before you start cleaning, block visitors from being redirected to harmful content while you work. You can do this with a simple maintenance.php file in wp-content/, or use a lightweight maintenance plugin.

This protects your visitors and stops the clock on SEO damage.

This sounds counterintuitive, but back up everything now: files and database. If you make a mistake during cleanup, you need something to roll back to. Your hosting control panel (cPanel, Kinsta, SiteGround) likely has one-click backups, or use a plugin like UpdraftPlus.

Log into your server via SFTP (not FTP — use SFTP). Download a copy of your entire site to your local machine. Then install and run one of these server-side scanners:

• MalCare — good at detecting obfuscated PHP malware
• Wordfence (free tier) — scans core files against official WordPress checksums and flags anything modified or added
• NinjaScanner — lightweight and accurate

Wordfence is particularly useful because it compares every core WordPress file against the official checksums from WordPress.org and flags any file that has been modified. Malware commonly hides in wp-includes/ and wp-admin/ because site owners rarely look there.

The .htaccess file is one of the most common locations for redirect injection — it is easy to modify and powerful enough to redirect all traffic. Connect via SFTP, navigate to your site root, and open .htaccess. A clean WordPress .htaccess looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If you see anything outside those # BEGIN and # END WordPress tags — especially RewriteRule entries pointing to external domains, or base64-encoded strings — that is your malware. Delete everything outside the WordPress block and save.

The next most common injection location is your active theme’s functions.php file. Look for anything that:

• Appeared recently (check file modification dates via SFTP)
• Is base64-encoded (look for base64_decode, eval, gzinflate, str_rot13)
• Contains obfuscated variable names ($O0O0O, $_x, etc.)
• Adds external script tags or makes outbound HTTP requests

A quick way to scan for these patterns across all your PHP files — if you have SSH access, run:

grep -r "base64_decode" /path/to/your/site/wp-content/ --include="*.php"
grep -r "eval(" /path/to/your/site/wp-content/ --include="*.php"

Any result that is not in a legitimate plugin you recognise deserves a close look.

Redirect malware frequently stores the redirect logic directly in your WordPress database — often in wp_options, wp_posts, or widget data. This is why some sites look clean at the file level but still redirect visitors.

Log into phpMyAdmin (via your hosting panel). Run these SQL queries:

SELECT * FROM wp_options WHERE option_value LIKE '%<script%';
SELECT * FROM wp_posts WHERE post_content LIKE '%base64_decode%';
SELECT * FROM wp_posts WHERE post_content LIKE '%eval(%';

If these return results with suspicious script tags or encoded strings, you have a database infection. You will need to manually review and clean those rows — or restore from a clean pre-infection backup if you have one.

Go to your WordPress dashboard → Users → All Users. Look for any administrator accounts you do not recognise. Hackers often create hidden admin accounts so they can re-enter even after you clean the files. Delete any account you did not create.

Also check your database directly:

SELECT * FROM wp_users;
SELECT * FROM wp_usermeta WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%';

Once the malicious code is removed:

• Update WordPress core to the latest version
• Update every plugin — or delete ones you are not actively using
• Update your theme
• Change all passwords: WordPress admin, SFTP/FTP, database, and your hosting control panel
• Regenerate your WordPress security keys in wp-config.php using the official generator

Run Wordfence or MalCare again after cleanup to confirm there is nothing left. Then browse your site as a logged-out mobile user in incognito mode. Check that Google Search Console no longer flags security issues (it may take a few days to clear after you request a review).

Cleaning up is only half the job. Lock it down:

• Enable two-factor authentication on all admin accounts
• Change the default login URL from /wp-admin/ to something custom — many rate-limit bots target the default path
• Limit login attempts — install Login Lockdown or use your host’s built-in WAF
• Disable XML-RPC if you are not using it (it is a common brute-force vector)
• Set correct file permissions: 755 for directories, 644 for files, and 440 or 400 for wp-config.php
• Add a Web Application Firewall (WAF) — Cloudflare’s free tier blocks a huge volume of malicious traffic before it reaches your server

How Long Does This Take?

For a straightforward single-file injection: 1–2 hours if you are comfortable with SFTP and phpMyAdmin.

For a heavy infection across multiple files, the database, and with backdoors planted in plugins: 4–8 hours, sometimes more — and you are likely to miss something if you do it manually without deep scanning tools.

When to Call a Developer Instead

Some infections are straightforward. Others are not. Call someone who does this regularly if:

• Your scanner found malware but the redirect still happens after cleanup
• Multiple files were modified across your theme, plugins, and core
• You found unknown admin users but do not know how long they have had access
• Your host has suspended your account for malware distribution
• You restore a backup and the malware comes back within days (there is a backdoor you have not found)

A developer who handles WordPress security can typically identify and clean an infection in 1–3 hours with the right tools. More importantly, they can identify the original entry point — which is the part most DIY cleanups miss.