If you open the web-page, it will redirect in no time. You can’t really trust browser’s built-in Developer Tools because the inspector can’t really tell what kind of redirect it is.
The idea is to inspect the source-code of the WordPress page. For that you’ll have to view the source-code without actually visiting the URL.
Type the URL in the following format into the browser’s address-bar:
After fixing so many websites, here’s an example I remember:
The clean up routine consists of:
- Replacing it (with nothing).
- Verifying the redirect is gone.
- Identifying the root-cause
Important Note: Prior to replacing anything take a full backup of your website — WordPress files as well as database.
100% Guaranteed Removal • Detailed Cleanup Report with RCA (Root Cause Analysis)
- Run Database Scan: Start with scanning the database to find the malicious script. In most of the cases malCure’s WP Malware Scanner will be able to find the malicious script. Don’t rely of this alone. You need to follow second step too.
- Scan Page Source: You need to closely watch for all the script tags in source code of the pages which are redirecting to other sites. You may also like to scan your site using Sucuri’s Sitecheck (https://sitecheck.sucuri.net/).
Once you have identified malicious code / malicious script, search for the same using phpMyAdmin. You will be able to find the infected tables by doing so.
Step Two: Replacing the malicious code (with nothing)
For the replacement part I trust a good code editor like VS Code. Export the database as an sql file, open in VS Code, do a find and replace and save the file.
Go to phpMyAdmin and drop all the tables in the infected database and import the cleaned up file. If all went well, your site will be back. Voila!
If you are comfortable with WP CLI, follow the steps here: How to use WP CLI to Search & Replace in the Database
Step Three: Verifying the redirect is gone
After cleaning the database, visit WordPress admin area and clear the cache. Now visit the front-end to make sure the site is not redirecting any more.
Visit the site via private browsing window and re-load multiple times to make sure there is no redirection.
Step Four: Identifying the root-cause
The most common cause of this infection is misuse of the “Database Search and Replace Script” or any other script that has write access to the database. These scripts must be positively removed after use and the website properly secured.
You also need to look elsewhere too and see if there’s anything else leftover and / or has access to the database. Revisit all the themes and plugins and check them for vulnerability against WPScan Vulnerability Database. Delete all the inactive themes and plugins and remove plugins which are no longer actively maintained by the developer.