Wordpress Redirect Hack Fix

HOME > Blog > Wordpress Redirect Hack Fix

WordPress Redirect Hack Fix
Published on: October 22nd, 2018

Artisan Web Security, WordPress

Over the last few years I have seen more and more WordPress website hacks, the most common is the redirect hack.  This simple yet costly hack redirects your websites posts or pages to spammy content, ads etc. or in most cases pornography websites.  You might ask then why would you use WordPress if it is so easily hacked?  The answer is simple, a poorly constructed WordPress website with multiple plugins and a free or pre bought theme generally cause the issues and not the WordPress platform.

I was recently asked by an IT company that I know to help out one of their clients who had fallen victim to such a hack, ordinarily I wouldn’t even bother looking at this as it can take some time to fix, but it became somewhat of a challenge for me to sit down and figure this problem out.  The first thing you do in this instance is look at your websites source code as well as looking at your header and footer.php to look for any malicious script.

The scrips are easy to spot as they are usually not very clean compared to the rest of the code and will look a little different in the fact it will be some form of JavaScript.  The next thing I done was to install free scanner tool to source any code that simple shouldn’t be there.  There were several .php files that where not part of the WordPress or theme framework and these where easily identifiable.

At this point I was pretty pleased with myself the site stopped redirecting right away on desktop, but then I realised it was still redirecting on mobile.  What had I missed?  After an hour of searching round I gave up and went to bed,  after just lying there I couldn’t get this out of my head when a light bulb moment struck me, how was I that stupid?  Of course there was going to be more script somewhere that you wouldn’t think to look.

The most obvious place to search for redirect script is in the WordPress posts as these tend to allow comments most notably spammy comments.  A quick switch in to text mode and low and behold there it was, I cant show the code as its an active iframe and would only redirect this posts to a spammy link.

One might say at this point the site was riddled, 261 posts all with the same iframe redirect code on the page.  This was the root of the problem that was causing the redirects a simple little iframe.

261 modified posts later and the issue was resolved the site hack free, but of course that was just the beginning, what caused the hack in the first place?  It is hard to tell, but in this case the site was running a total of 15 free to use plugins, the WordPress version had not been updated in 4 years, the sites passwords for the weakest I have ever seen, not to mention the database password being “rhubarb” also weakest I have ever seen for a database.  Multiple users only  one of which updated the sites.

So we removed all users bar the main one and created more secure random string passwords for both.  What is a random string password? Simple put it is this: &HUGJ%$@££2434bsdgijwsg.  A complete set of random numbers, letters and symbols almost impossible to break.  If you go to howsecureismypassword.net it says it will take 19 septillion years to break, rhubarb on the other hand it says it can be hacked instantly.

What are the lessons here?

  1. Don’t use free plugins or website themes
  2. Also avoid pre bought themes the best build is a custom build from scratch.
  3. Limit the users on your site when possible but also use the WordPress password generator for a more secure password.
  4. Use dedicated VS hosting as opposed to shared platforms.
  5. Hire a professional if possible.
  6. Install SSL encryption
  7. Keep your WordPress version as up to date as possible
  8. If it’s too good to be true it usually is.

If you are having similar issues and want Artisan Web to have a look at your hacked website you can e-mail hello@artisanweb.co.uk or call us on 028 9002 0330.

N.B. No two hacks are the same and the above example is just one of the hacks we have encountered over the last 18 months.