One: The most common variant may or may not infect the WordPress files, so you’ll go in loops installing and reinstalling WordPress to no effect.
Two: Common malware scanners fail miserably at scanning database.
And finally, there’s no way to figure out if a redirect is genuine or malicious.
Table of Contents
If you open the web-page, it will redirect in no time. You can’t really trust browser’s built-in Developer Tools because the inspector can’t really tell what kind of redirect it is. You can scan your website with an online malware scanner or server-side malware scanner to detect the malware.
The key is to inspect the source-code of the WordPress page. For that you’ll have to view the source-code without actually visiting the URL since the actual URL will keep redirecting.
Type the URL in the following format into the browser’s address-bar replacing
example.com with your website’s URL:
After fixing so many websites and different kinds of redirects, here’s an example I remember:
The clean up routine consists of:
- Replacing it (with nothing).
- Verifying the redirect is gone.
- Identifying the root-cause
Important Note: Prior to replacing anything take a full backup of your website — WordPress files as well as database.
100% Guaranteed Removal • Detailed Cleanup Report with RCA (Root Cause Analysis)
- Run Database Scan: Start with scanning the database to find the malicious script. In most of the cases Malcure Malware Scanner will be able to find the malicious script. Don’t rely on this alone. You need to follow second step too.
Once you have identified malicious code / malicious script, search for the same using phpMyAdmin. You will be able to find the infected tables by doing so.
Step Two: Replacing the malicious code (with nothing)
For the replacement part I trust a good code editor like VS Code. Export the database as an sql file, open in VS Code, do a find and replace and save the file.
Go to phpMyAdmin and drop all the tables in the infected database and import the cleaned up file. If all went well, your site will be back. Voila!
If you are comfortable with WP CLI, follow the steps here: How to use WP CLI to Search & Replace in the Database
Step Three: Verifying the WordPress Redirect Hack is gone
After cleaning the database, visit WordPress admin area and clear the cache. This is very important: Clear the Cache! Now visit the front-end to make sure the site is not redirecting any more.
Visit the site via private browsing window and re-load multiple times to make sure there is no redirection. Also keep an eye on Network tab in Developer Tools to review all the network requests.
Step Four: Identifying the root-cause
The most common cause of this infection is misuse of the “Database Search and Replace Script” or any other script that has write access to the database. These scripts must be positively removed after use and the website properly secured.
You also need to look elsewhere too and see if there’s anything else leftover and / or has access to the database. Revisit all the themes and plugins and check them for vulnerability against WPScan Vulnerability Database. Delete all the inactive themes and plugins and remove plugins which are no longer actively maintained by the developer.