Introduction

A redirect hack is one of the clearest signs a WordPress site has been compromised. The main site may look normal to administrators while visitors, mobile users, or search crawlers get sent somewhere else entirely. Real recovery means finding the redirect logic and the access path that put it there.

Symptoms

  • Visitors are redirected to spam, scam, or malware domains
  • Redirects happen only for logged-out users, mobile devices, or search traffic
  • The homepage may look normal while deep pages redirect elsewhere
  • Unknown JavaScript, PHP snippets, or database changes appear in the site
  • Security tools or search engines flag suspicious outbound redirects

Common Causes

  • A vulnerable plugin or theme allowed code injection
  • Attackers modified .htaccess, theme files, or database options
  • Malicious JavaScript was injected into headers, footers, or widgets
  • Stolen admin or hosting credentials enabled unauthorized changes
  • A backdoor survives cleanup and restores the redirect after removal

Step-by-Step Fix

  1. Reproduce the redirect from an anonymous session, another device, or a curl request so you can confirm the affected URLs and conditions.
  2. Search themes, plugins, mu-plugins, .htaccess, and custom snippets for suspicious redirects or obfuscated code.
  3. Review database options, injected scripts, and site URL settings for unauthorized outbound destinations.
  4. Disable or replace the plugin or theme most likely tied to the compromise and rotate all related credentials.
  5. Replace WordPress core and compromised components with clean known-good versions instead of trying to patch one file blindly.
  6. Scan the uploads directory and other writable paths for backdoors that can restore the redirect later.
  7. Re-test as a logged-out visitor and through security scanners until the redirect behavior is completely gone.
  8. Submit review to any warning providers only after you are sure the malicious redirect path and persistence are removed.
  9. Add stronger plugin hygiene, file integrity checks, and admin monitoring so future redirect injections are caught earlier.