How to Remove Malicious Redirects from a WordPress Site

remove malicious redirects in wp

Malicious redirects can be a nightmare, causing significant damage to your site’s reputation, SEO ranking, and user experience. WordPress, as one of the most popular content management systems, is not immune to such attacks.

In this article, I’ll guide you through identifying and removing malicious redirects from your WordPress website to ensure your site stays secure and user-friendly.

What are Malicious Redirects?

Malicious redirects occur when a website sends visitors to a different, often harmful, destination without their consent. These redirects can take your visitors to spammy, phishing, or malware-infected websites.

Hackers use them to manipulate search engine rankings or exploit your website’s traffic.

How are They Harmful?

Malicious redirects are harmful for several reasons:

  • User Experience: They disrupt the user experience on your website, leading to frustrated visitors who may never return.
  • SEO Impact: Google and other search engines penalize websites with malicious redirects, causing a drop in rankings and organic traffic.
  • Reputation Damage: Visitors may associate your website with a malicious destination, damaging your brand’s reputation.

How to Identify Malicious Redirects?

The first step in dealing with malicious redirects is to identify them. Here are some common signs that your WordPress site might have been compromised:

1. Using Google Search Console

Google Search Console can help identify issues with your website. Look for “Security Issues” under the “Security & Manual Actions” tab. Google will notify you if it detects any malicious content or redirects.

Google Search Console Security

2. Manual Checks

Manually check your website by clicking on links, especially those in user-generated content like comments or forms. Pay attention to the address bar and any unexpected redirects.

3. WordPress Security Plugins

Utilize WordPress security plugins like Wordfence Security. They offer scanning features to detect and alert you about malicious redirects and other security threats.

Wordfence plugin scan

Removing Malicious Redirects

1. Back Up your Website

To back up your website using WP Staging, access the plugin from your WordPress dashboard, create a staging site, and then utilize its built-in functionality or other backup plugins to secure your website’s data.

Staging sites ensure that your backup replicates your live site, providing a reliable snapshot of your content and configurations for safekeeping.

2. Update Everything

The recommended strategy for addressing redirection malware involves updating your WordPress components. Initiate a WordPress update initially, and subsequently, ensure all your website’s plugins and your current theme are up to date.

After adhering to the aforementioned steps, the redirection malware should cease to appear on your website.

At this juncture, conducting another scan of your website is recommended to verify that the issue has been successfully resolved.

Wordfence plugin scan

3. Scan For Malware

I used the Wordfence Security plugin to scan my website for malware, and upon detection of any malicious code, I followed the plugin’s instructions to swiftly remove the threats, ensuring my website remained safe and free from potential security risks.

Wordfence plugin found virus file

Here, you see the file has malicious code in it. Then click the “Repair All Repairable Files” option.

Wordfence plugin repair virus file

Now, your WordPress site is safe and clean with no malicious files.

Wordfence plugin scan

4. Manually Remove WordPress Malicious Redirects Via wp-config.php

We strongly advise against attempting this route unless you possess advanced expertise in WordPress. If you are a novice, it is advisable to either utilize a plugin or enlist the assistance of a professional to address the malware issue effectively.

Nonetheless, if you remain determined to rectify the malware problem manually, here is a compilation of potential locations where the malware might be situated.

To begin with, meticulously inspect your wp-config.php file. If you find any signs of redirection code, then delete it. A recommended approach involves comparing each file with its counterpart in a fresh WordPress installation.

fix malicious redirects via wp_config file

5. Manually Remove WordPress Malicious Redirects Via .htaccess

Meticulously inspect your .htaccess File. If you find any signs of redirection code, then delete it. A recommended approach involves comparing each file with its counterpart in a fresh WordPress installation.

fix malicious redirects via .htaccess file

If you identify any suspicious code that appears out of place, it’s imperative to eliminate it from the file. However, exercise extreme caution to avoid inadvertently removing essential code from the file. This underscores the necessity for advanced expertise when undertaking this procedure.

6. Detecting Redirection Malware in Your Database File

Next, investigate the presence of redirection malware code within your database file. To accomplish this, you should first create a database backup using PHPMyAdmin. Go to the export option, then click on it.

detecting malicious redirects in wp database

A New Window opens, then click the export option.

Export Database Button

Then, proceed to open the download database file using a code editor. Following that, duplicate the URL to which your website redirects your users. Subsequently, utilize the search function within your code editor to locate this specific URL.

Edit Export Database file to found virus

Should you locate it, you can effortlessly remove the link or substitute it with your website’s address.

Then you save the file and reupload it to your “PHPMyAdmin.” But first, you need to delete the existing database.

  1. Open “PHPMyAdmin,” select your database, copy the name of the database, and then go to the operations menu, click on it, then find the “Drop the database(DROP)” option and click on it. Now, the Malicious Database has been deleted.
Drop Database
  1. Next, Create a new Database, paste the copy name of the previous database, and click the Create button. The database is created.
Create Database
  1. Now, the database is created, but it’s empty. Now we need to import our database into it.
Import Database
  1. Once you click the import menu, the new window opens, and then choose the malware-free database. If the database is selected, scroll down and click the import button.
Choose database to upload

Now you successfully upload your database.

Database import Completed

Preventing Future Redirects

1. Keep WordPress and Plugins Updated

Regularly update your WordPress core, themes, and plugins to patch vulnerabilities.

2. Use Strong Passwords

Employ strong, unique passwords and consider using a password manager.

3. Limit Login Attempts

Install a plugin that limits the number of login attempts to prevent brute-force attacks.

4. Install a WordPress Security Plugin

Use a reputable security plugin to monitor and protect your website continuously.

5. Monitor your Website Regularly

Stay vigilant by monitoring your website’s performance and security regularly.



Malicious redirects can wreak havoc on your WordPress website, but you can protect your site and its visitors with vigilance and proactive measures. Regularly monitoring, updating, and educating yourself about security threats will help you maintain a safe and secure WordPress website.

Additionally, remember the importance of daily backups using reliable tools like the WP Staging plugin to ensure quick recovery in case of unexpected security incidents.