How To Remove Malicious Redirects From Your WordPress Website | Security Tips
WordPress is the most popular CMS in the world with almost 75 million sites depending on it. Unfortunately, it’s popularity makes it a prime target for hackers and malware. A malicious redirect is a bit of code inserted into a website with the intent of redirecting the site visitor to another website. Malicious redirects are typically inserted into a website by attackers with the intent of generating advertising impressions. However, some malicious redirections can have more damaging effects. A malicious redirect can exploit vulnerabilities in a site visitor’s computer through web-based scripts to install malware on unprotected machines. As such, it is critical to remove malicious redirects from your site.
The redirect might happen on some pages and not others. Or, it might happen before the site even loads.
A malicious redirect can be inserted anywhere on your site — site files or even in your database. Here are some of the malicious redirects often detected by our scans and some instructions on how to remove them.
- In Chrome, enter “view-source:” in front of the site’s URL (e.g., view-source:http://www.sitename.com) and search for “<script” within the file. You can look for what other code or text is close to the malicious script to determine which site file contains the malicious code.
Removing this redirect: To remove this redirect, there are a few options. Often, these redirects are inserted into every post on the site. Scripts can be removed by editing:
- within the content management system (e.g., via WordPress post editing)
- via a database tool like PhpMyAdmin which allows for editing more than one page/post at a time.
- via a downloaded text file locally and uploading the cleaned posts into the database using a SQL management tool. While fastest, this does require a level of technical expertise in working with SQL.
Malicious scripts can also be inserted into widgets.
Redirects inserted into htaccess files.
An htaccess file is a file placed on your server that provides directives to the server before your site’s files are even accessed. For a WordPress site, for example, the htaccess file will tell the server to send requests to permalinks to the WordPress primary index.php file for handling. Other directives can be placed in an htaccess file, and it is a favorite location for attackers to place malicious redirects. Often, these types of redirects will redirect based on the type of browser or device, or by the site that referred the visitor to your site (most often, from one of the search engines) A htaccess redirect can look like this:
These redirects can be difficult to isolate and remove. Manipulating the htaccess file can cause the site stop functioning altogether or create errors that do not make much sense such as an internal server error. If you are unfamiliar with the directives within the htaccess file, it makes sense to get help.
Removing this redirect: Start by downloading your .htaccess file. Your cpanel file manager might not show you this “hidden” file, and sometimes downloading it to your computer’s hard drive might make it disappear even though you can see it in your FTP application. You will need to remove the redirection, leaving behind the code necessary for the operation of your site. This can be hosting provider dependent, as there are often entries within an htaccess file necessary for your site’s functionality.
Some advertising networks are lenient in their standards for the advertising they accept into their network. The site may be completely free of malware, but an advertising network may be redirecting site visitors. Determining which advertising network may be the culprit can be a very difficult task as malicious advertising redirects can be served up sporadically and unpredictably.
Removing this redirect: If a site is maliciously redirecting your site visitors, if you have exhausted all other options and you have advertising networks placed on your site, removing those ad networks may solve the malicious redirection problem.
SIGNS YOU’VE BEEN HACKED
Following these tips for protecting your site will prevent most common hackers from getting into your site. However, if you find that a breach did occur, then you need to know how to recover your website. Here are some common ways hackers take control of WordPress websites.
- They redirect your site to another.
- There are unknown links installed on your landing pages.
- Visitors see advertisements in your header or footer that you did not authorize.
- A pop-up displays when visitors access your site.
The first step in taking back your website is to restore a backup. Many times, restoring a previous version will take care of the issue.
Your second best course of action is to contact your web hosting company. They employ professionals specifically tasked with fighting off cybercriminals. Plus, if the breach occurred at the host, then they have a responsibility to help you restore your site.
Once you have regained control of your WordPress website, make sure you change all passwords, eliminate unknown users, and update all plugins.
If your site handles sensitive information, you might consider a website redesign that focuses on securing your information. A web designer can help you develop password-protected pages and add extra levels of security on the backend.
Article References https://www.wordfence.com