JavaScript redirect malware is… well special in many ways.
One: The most common variant may or may not infect the WordPress files, so you’ll go in loops installing and reinstalling WordPress to no effect.
Two: Common malware scanners fail miserably at scanning database.
And finally, there’s no way to figure out if a redirect is genuine or malicious.
The cleanup of the WordPress site hacked redirect malware needs manual intervention and some… “skills”. It is always challenging to detect the malicious script which keeps redirecting users to other sites. This tutorial will help you in detecting and removing JavaScript Redirect Malware.
Table of Contents
How to identify a JavaScript Redirect Malware (WordPress Malware Redirect Hack)
If you open the web-page, it will redirect in no time. You can’t really trust browser’s built-in Developer Tools because the inspector can’t really tell what kind of redirect it is. You can scan your website with an online malware scanner or server-side malware scanner to detect the malware.
The key is to inspect the source-code of the WordPress page. For that you’ll have to view the source-code without actually visiting the URL since the actual URL will keep redirecting.
Type the URL in the following format into the browser’s address-bar replacing example.com with your website’s URL:
view-source:https://www.example.com
And now you can inspect it line by line. Feel free to copy / reformat / beautify the code to make it more legible. Given the right tools, this will help you in identifying the snippet which is causing the JavaScript redirect. You are looking for anything and everything that starts with <script> tag.
After fixing so many websites and different kinds of redirects, here’s an example I remember:
<script src='https://setforspecialdomain.com/ghfgh34523452' type='text/javascript'></script>
How to Clean JavaScript Redirect Infection — WordPress Redirect Malware Removal
The clean up routine consists of:
- Finding the JavaScript snippet in the database.
- Replacing it (with nothing).
- Verifying the redirect is gone.
- Identifying the root-cause
Important Note: Prior to replacing anything take a full backup of your website — WordPress files as well as database.
Let’s start!
Need professional help? Request JavaScript Redirect Malware Cleanup Now →
100% Guaranteed Removal • Detailed Cleanup Report with RCA (Root Cause Analysis)
Step One: Finding the JavaScript snippet in the database
There are two steps in detecting malicious JavaScript redirect code snippet:
- Run Database Scan: Start with scanning the database to find the malicious script. In most of the cases Malcure Malware Scanner will be able to find the malicious script. Don’t rely on this alone. You need to follow second step too.
- Scan Page Source: You need to closely watch for all the script tags in source code of the pages which are redirecting to other sites. You may also like to scan your site using remote scanners Sucuri’s Sitecheck (https://sitecheck.sucuri.net/) and Malcure Webscan. Remote scanners detect malicious code and infected file locations by scanning external website source code and are a good choice when it comes to scanning sites for JavaScript redirect.
Once you have identified malicious code / malicious script, search for the same using phpMyAdmin. You will be able to find the infected tables by doing so.
Step Two: Replacing the malicious code (with nothing)
For the replacement part I trust a good code editor like VS Code. Export the database as an sql file, open in VS Code, do a find and replace and save the file.
Go to phpMyAdmin and drop all the tables in the infected database and import the cleaned up file. If all went well, your site will be back. Voila!
If you are comfortable with WP CLI, follow the steps here: How to use WP CLI to Search & Replace in the Database
Step Three: Verifying the WordPress Redirect Hack is gone
After cleaning the database, visit WordPress admin area and clear the cache. This is very important: Clear the Cache! Now visit the front-end to make sure the site is not redirecting any more.
Visit the site via private browsing window and re-load multiple times to make sure there is no redirection. Also keep an eye on Network tab in Developer Tools to review all the network requests.
Step Four: Identifying the root-cause
The most common cause of this infection is misuse of the “Database Search and Replace Script” or any other script that has write access to the database. These scripts must be positively removed after use and the website properly secured.
You also need to look elsewhere too and see if there’s anything else leftover and / or has access to the database. Revisit all the themes and plugins and check them for vulnerability against WPScan Vulnerability Database. Delete all the inactive themes and plugins and remove plugins which are no longer actively maintained by the developer.
Next Steps: Once the site is clean, shuffle WordPress salt keys and follow these steps to secure your website.