Is your WordPress site redirecting to suspicious websites? This guide walks you through identifying, removing, and preventing the WordPress redirect hack. You’ll restore your site’s security and keep visitors safe.
Key Takeaways
- Act quickly: Redirect hacks can damage your SEO and reputation. The faster you respond, the less harm is done.
- Scan your site first: Use trusted tools like Sucuri or Wordfence to detect malware before making changes.
- Check core files: Hackers often inject code into wp-config.php, .htaccess, or theme files—review them carefully.
- Update everything: Outdated themes, plugins, and WordPress versions are common entry points for hackers.
- Change all passwords: Reset admin, FTP, database, and hosting account passwords to lock out attackers.
- Backup before fixing: Always create a clean backup so you can restore your site if something goes wrong.
- Prevent future hacks: Use security plugins, enable two-factor authentication, and monitor file changes regularly.
Introduction: What Is a WordPress Redirect Hack?
If you’ve noticed your WordPress site suddenly sending visitors to spammy or unrelated websites—like adult content, phishing pages, or fake antivirus alerts—you’re likely dealing with a WordPress redirect hack. These malicious redirects often happen without warning and can seriously harm your site’s credibility, search rankings, and user trust.
In this guide, you’ll learn exactly how to fix a WordPress redirect hack step by step. We’ll cover detection, cleanup, recovery, and prevention—so you can get your site back online safely and securely. Whether you’re a beginner or an experienced WordPress user, these instructions are clear, practical, and designed to work even under pressure.
Step 1: Confirm the Redirect Is Real
Before jumping into fixes, make sure the issue isn’t just a browser glitch or local cache problem.
Visual guide about How to Fix WordPress Redirect Hack
Image source: lookict.files.wordpress.com
Test from Different Devices and Networks
Open your site on your phone (using mobile data, not Wi-Fi), ask a friend to visit it, or use a tool like Site24x7 to check from multiple locations. If only you see the redirect, clear your browser cache and disable extensions.
Check Google Search Results
Search for site:yourdomain.com in Google. If search results show strange URLs or descriptions, your site is likely compromised.
Step 2: Take Your Site Offline (Optional but Recommended)
To protect visitors and avoid further damage, consider putting up a maintenance page.
Use a Maintenance Mode Plugin
Install a plugin like “WP Maintenance Mode” and activate it. This shows a friendly message to visitors while you work behind the scenes.
Or Edit .htaccess Temporarily
Add this line to your .htaccess file (found in your site’s root folder):
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000$
RewriteRule ^(.*)$ /maintenance.html [R=503,L]
Replace 123.456.789.000 with your IP address so you can still access the site.
Step 3: Scan Your Site for Malware
Use a reputable security scanner to locate infected files.
Visual guide about How to Fix WordPress Redirect Hack
Image source: stealthsettings.com
Free Online Scanners
Run your domain through Sucuri SiteCheck or VirusTotal. These tools check for known malware signatures and blacklisting status.
Install a Security Plugin
Log into your WordPress dashboard (if possible) and install Wordfence or Sucuri Security. Run a full scan. These plugins will highlight suspicious files, injected code, and backdoors.
Step 4: Check Critical Files for Malicious Code
Hackers often hide redirect scripts in key files. Manually inspect these:
Review .htaccess
Open your .htaccess file via FTP or your hosting file manager. Look for unfamiliar rewrite rules like:
RewriteRule ^.*$ http://malicious-site.com [R,L]
Delete any suspicious lines and restore the default WordPress rules if needed.
Inspect wp-config.php
This file should only contain core WordPress settings. If you see base64-encoded strings, eval() functions, or remote includes, delete them immediately.
Check Theme and Plugin Files
Look in /wp-content/themes/your-theme/ and /wp-content/plugins/ for files named oddly (e.g., wp-update.php) or containing obfuscated code. Pay special attention to functions.php in your active theme—it’s a common target.
Tip: Compare your theme files with a fresh copy from the official repository. If you’re using a custom theme, consider restoring from a clean backup.
Step 5: Clean or Replace Infected Files
Once you’ve identified malicious code, remove it—or better yet, replace the entire file.
Restore from Backup
If you have a recent clean backup (before the hack), restore your site using your hosting provider’s restore tool or a plugin like UpdraftPlus.
Reinstall WordPress Core
Go to Dashboard > Updates and click “Re-install Now.” This replaces core files without affecting your content.
Reinstall Themes and Plugins
Delete suspicious themes and plugins—even if they seem legitimate. Then reinstall them fresh from the WordPress directory. For example, if your theme was compromised, follow our guide on how to delete a theme in WordPress safely before reinstalling.
Need to update your theme after cleaning? Check out how to update a theme on WordPress to avoid reintroducing vulnerabilities.
Step 6: Change All Passwords
Assume the hacker still has access until you lock them out.
Reset WordPress Admin Password
Use the “Lost your password?” link on your login page, or reset it via phpMyAdmin in your database’s wp_users table.
Update FTP and Hosting Credentials
Log into your hosting control panel (cPanel, Plesk, etc.) and change your FTP and main account password.
Change Database Password
Update your MySQL database password and ensure wp-config.php reflects the new credentials.
Step 7: Update Everything
Outdated software is the #1 cause of WordPress hacks.
Upgrade WordPress
Ensure you’re running the latest version of WordPress.
Update Themes and Plugins
Go to Dashboard > Updates and update all themes and plugins. Remove any you no longer use—they’re unnecessary risks.
For guidance, see our article on how many plugins you should use to keep your site lean and secure.
Step 8: Harden Your WordPress Security
Prevent future attacks with these best practices:
Install a Security Plugin
Keep Wordfence or Sucuri active. Enable firewall protection and real-time malware scanning.
Enable Two-Factor Authentication (2FA)
Use plugins like Google Authenticator to add an extra login layer.
Limit Login Attempts
Plugins like Limit Login Attempts Reloaded block brute-force attacks.
Disable File Editing
Add this line to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
This prevents hackers from editing theme/plugin files via the dashboard.
Troubleshooting Common Issues
Problem: Site still redirects after cleanup.
Solution: Check your database. Run a search for suspicious URLs in wp_options and wp_posts tables using phpMyAdmin. Look for injected JavaScript or iframe tags.
Problem: Can’t access WordPress admin.
Solution: Rename the /wp-content/plugins/ folder via FTP to disable all plugins. If that works, reactivate them one by one to find the culprit.
Problem: Hosting provider suspended your site.
Solution: Contact support immediately. Most hosts will restore service once you prove the site is clean—provide scan results from Sucuri or Wordfence.
Conclusion
Fixing a WordPress redirect hack feels overwhelming—but by following these steps, you’ve taken control of your site’s security. Remember: prevention beats cleanup every time. Keep your software updated, use strong passwords, and monitor your site regularly. With the right habits, your WordPress site can stay safe, fast, and trustworthy for years to come.