If your WordPress website is redirecting visitors to spam websites, gambling pages, or malicious downloads — your site is likely infected with a WordPress redirect hack.
This type of malware is one of the most common and dangerous WordPress infections. If your site is infected, follow our complete guide on how to remove malware from WordPress step-by-step.
In this guide, you’ll learn:
- What a WordPress redirect hack is
- How hackers inject redirect malware
- Step-by-step instructions to fix it
- How to prevent it permanently
What Is a WordPress Redirect Hack?
A WordPress redirect hack occurs when malicious code is injected into your website, forcing visitors to be redirected to third-party spam or harmful websites.
Redirects may:
- Only affect mobile users
- Trigger only from Google search results
- Occur randomly
- Redirect to pharma, casino, or scam sites
These attacks damage SEO rankings and trust immediately.
Signs Your Site Has a Redirect Hack
Look for these symptoms:
- Website redirects only from search engines
- Mobile users see different content
- Strange code inside .htaccess
- Unknown JavaScript in header/footer
- New admin users
- Hosting security alerts
If you see any of these, your site may be compromised.
How to Fix WordPress Redirect Hack (Step-by-Step)
Step 1: Put Site in Maintenance Mode
Prevent visitors from landing on malicious redirects while you clean the site.
Step 2: Backup Everything
Download:
- All WordPress files
- Full database
Never clean without backup.
Step 3: Scan for Malware
Use security plugins to detect infected files.
However, automated tools often miss hidden backdoors.
Step 4: Check .htaccess File
Redirect hacks often inject code like:
RewriteCond %{HTTP_REFERER}
RewriteRule ^(.*)$ http://spam-site.com [R=302,L]
Restore default WordPress .htaccess rules.
Step 5: Inspect Theme Files
Check:
- header.php
- functions.php
- footer.php
Remove suspicious base64 or obfuscated code.
Step 6: Clean Database Redirect Scripts
Search database for:
- <script> tags
- Encoded JavaScript
- Suspicious external URLs
Remove malicious entries carefully.
Step 7: Remove Backdoors
Common backdoor locations:
- /wp-content/uploads/
- /wp-includes/
- /wp-content/plugins/
Backdoors allow hackers to reinfect your site.
Step 8: Update & Harden Security
After cleaning:
- Update WordPress core
- Update themes/plugins
- Install firewall
- Limit login attempts
- Change all passwords
Security hardening prevents reinfection.
Why Redirect Hacks Keep Coming Back
If you only remove visible redirects but leave:
- Backdoor scripts
- Compromised hosting
- Weak passwords
- Vulnerable plugins
The infection will return. The Professional manual cleanup ensures permanent fix.
When to Hire a Professional WordPress Malware Removal Service
If:
- Redirect keeps returning
- Google flagged your site
- You cannot find infected files
- Your business depends on uptime
You should get expert help. If you want to see how we cleaned a real hacked website suffering from malicious redirects, read our detailed WordPress malware removal case study.
👉 Our professional WordPress Malware Removal Service removes redirect malware, cleans backdoors, and secures your site permanently:
How to Prevent Future Redirect Hacks
✅ Use Web Application Firewall
✅ Keep WordPress Updated
✅ Remove unused plugins
✅ Disable file editing in dashboard
✅ Use strong hosting security
✅ Enable 2FA login
Security is ongoing, not one-time.
FAQs
Why is my WordPress site redirecting only on mobile?
Mobile-only redirect malware is common. Hackers use conditional scripts to avoid detection.
Will redirect hack affect SEO?
Yes. Google may penalize or blacklist your site.
Can I fix redirect hack myself?
Possible for simple cases, but advanced infections require manual expertise.
How long does it take to fix?
Most sites are cleaned within 4–6 hours.
Final Thoughts
A WordPress redirect hack is serious and should be fixed immediately. Removing visible redirects is not enough — full malware cleanup and security hardening are essential.
If you need fast help:
