WordPress is the most popular CMS in the world with almost 75 million sites depending on it. Unfortunately, it’s popularity makes it a prime target for hackers and malware. A malicious redirect is a bit of code inserted into a website with the intent of redirecting the site visitor to another website. Malicious redirects are typically inserted into a website by attackers with the intent of generating advertising impressions. However, some malicious redirections can have more damaging effects. A malicious redirect can exploit vulnerabilities in a site visitor’s computer through web-based scripts to install malware on unprotected machines. As such, it is critical to remove malicious redirects from your site.

The redirect might happen on some pages and not others. Or, it might happen before the site even loads.

A malicious redirect can be inserted anywhere on your site — site files or even in your database. Here are some of the malicious redirects often detected by our scans and some instructions on how to remove them.

Javascript insertions in your site’s files.

On WordPress sites, we see javascript entries placed in theme files. Typically we will find these within the theme’s header, often right above the tag. But they can be elsewhere in the site’s files.

  1. Determine which script is performing the malicious redirect. Not all javascript on your site is malicious, in fact, most of the javascript you will find on your site is a part of core functionality.
  2. In Chrome, enter “view-source:” in front of the site’s URL (e.g., view-source:http://www.sitename.com) and search for “<script” within the file. You can look for what other code or text is close to the malicious script to determine which site file contains the malicious code.
  3. If it is a theme file, you can use your site’s theme editor to remove the offending javascript. Or you can download your site via FTP or your cpanel file manager and upload the cleaned file back to your server.

Javascript inserted in pages or posts.

Often, attackers will run a script that inserts javascript into all of the posts/pages on your site. These redirects will not be found in site files, but rather in the site’s database. There may be more than one script inserted. It might be one one page, or it might be on all of them. These scripts may look like the same script above, but these redirects can often be obfuscated (intentionally obscured to make code ambiguous).

These javascript malicious redirects will look similar to the javascript examples above.

Removing this redirect: To remove this redirect, there are a few options. Often, these redirects are inserted into every post on the site. Scripts can be removed by editing:

  • within the content management system (e.g., via WordPress post editing)
  • via a database tool like PhpMyAdmin which allows for editing more than one page/post at a time.
  • via a downloaded text file locally and uploading the cleaned posts into the database using a SQL management tool. While fastest, this does require a level of technical expertise in working with SQL.

Javascript redirects inserted into widgets.

Malicious scripts can also be inserted into widgets.

Obfuscated javascript appended to javascript files.

An attacker can add a few lines of javascript to some or all of the javascript files within the site’s files. A search of site files looking for the URL to which that the site is redirecting might not find any results because this javascript is often obfuscated.

Removing this redirect: To remove this type of malicious redirect, download the entire site using an FTP program to your computer, and search for the offending javascript. If you have a development tool that allows you to scan all of the files on your site, you may find that this malicious redirect has been inserted in all of the javascript files on your site. Check for both .js and .json files, including core files, theme files, plugins, etc. Once you have cleaned all of the site files, upload the cleaned site back to the server.

Redirects inserted into htaccess files.

An htaccess file is a file placed on your server that provides directives to the server before your site’s files are even accessed. For a WordPress site, for example, the htaccess file will tell the server to send requests to permalinks to the WordPress primary index.php file for handling. Other directives can be placed in an htaccess file, and it is a favorite location for attackers to place malicious redirects. Often, these types of redirects will redirect based on the type of browser or device, or by the site that referred the visitor to your site (most often, from one of the search engines) A htaccess redirect can look like this:

These redirects can be difficult to isolate and remove. Manipulating the htaccess file can cause the site stop functioning altogether or create errors that do not make much sense such as an internal server error. If you are unfamiliar with the directives within the htaccess file, it makes sense to get help.

Removing this redirect: Start by downloading your .htaccess file. Your cpanel file manager might not show you this “hidden” file, and sometimes downloading it to your computer’s hard drive might make it disappear even though you can see it in your FTP application. You will need to remove the redirection, leaving behind the code necessary for the operation of your site. This can be hosting provider dependent, as there are often entries within an htaccess file necessary for your site’s functionality.

Ad networks

Some advertising networks are lenient in their standards for the advertising they accept into their network. The site may be completely free of malware, but an advertising network may be redirecting site visitors. Determining which advertising network may be the culprit can be a very difficult task as malicious advertising redirects can be served up sporadically and unpredictably.

Removing this redirect: If a site is maliciously redirecting your site visitors, if you have exhausted all other options and you have advertising networks placed on your site, removing those ad networks may solve the malicious redirection problem.

SIGNS YOU’VE BEEN HACKED

Following these tips for protecting your site will prevent most common hackers from getting into your site. However, if you find that a breach did occur, then you need to know how to recover your website. Here are some common ways hackers take control of WordPress websites.

  • They redirect your site to another.
  • There are unknown links installed on your landing pages.
  • Visitors see advertisements in your header or footer that you did not authorize.
  • A pop-up displays when visitors access your site.

The first step in taking back your website is to restore a backup.  Many times, restoring a previous version will take care of the issue.

Your second best course of action is to contact your web hosting company. They employ professionals specifically tasked with fighting off cybercriminals. Plus, if the breach occurred at the host, then they have a responsibility to help you restore your site.

Once you have regained control of your WordPress website, make sure you change all passwords, eliminate unknown users, and update all plugins.

If your site handles sensitive information, you might consider a website redesign that focuses on securing your information. A web designer can help you develop password-protected pages and add extra levels of security on the backend.

Article References https://www.wordfence.com