WordPress Redirect Hack: Why Your Site Sends Visitors to Spam

By · Updated · 6 min read

A redirect hack is malicious code planted on your site that sends your visitors somewhere else, usually a pharmacy store, a casino, a fake virus warning, or one of those "prove you're not a robot" pages that begs for notification permissions. The code hides in your WordPress database, your theme files, a fake plugin, or your .htaccess file. And it's almost always conditional, which is why the site looks perfectly normal every time you check it yourself.

I clean these up nearly every week, and the phone call usually starts the same way: "My customers say the site sends them to a casino, but when I open it, everything looks fine." Both things are true. That's the design.

This guide explains how the trick works, where the code actually lives, and how to get rid of it without breaking your site in the process.

Why can't I see the redirect on my own site?

Because the malware checked you out first and decided to leave you alone.

Modern redirect malware runs a little screening routine before it fires. Some versions only redirect mobile visitors. Some only trigger when the visitor arrives from a Google search, because a spam campaign wants search traffic, not direct traffic. Many fire once per IP address and then go quiet for that visitor for a day or more. Nearly all of them stay dormant for logged-in users, and the smarter ones keep a list of IP ranges belonging to security companies and hosting providers so scanners see a clean page too.

Think about how you check your own site. You open it directly, from your usual computer, on your usual connection, probably while logged in to WordPress. You fail every condition the malware is looking for. Your customer on a phone, tapping your listing in Google search results, passes all of them.

This is worth understanding before you call your developer a liar or dismiss the customer complaint as a virus on their end. When several people tell you the site "took them somewhere weird" and you can't reproduce it, believe them.

Where the redirect code hides

In the cleanups I do, the code turns up in a handful of usual places.

The database is the most common. Attackers inject a short piece of JavaScript into every post and page in wp_posts, or tuck it into wp_options inside a widget, a theme setting, or a rogue row with an innocent-looking name. The script itself is usually obfuscated, a wall of hex or base64 that decodes into a call to a remote domain, and that remote domain decides where each visitor gets sent. That indirection matters: the attacker can change the destination any time without touching your site again.

Theme files come next. header.php and functions.php are favorites because they run on every page load. I also find redirects in fake plugins with deliberately boring names, folders like wp-zzz or classic-editor-pro sitting in your plugins directory that you never installed. And .htaccess deserves special mention, since a few lines of rewrite rules there can redirect search traffic before WordPress even loads. If you've cleaned everything else and search visitors still bounce to spam, read that file line by line.

One site I cleaned last winter had the same injected script in all four places. Removing three of them just meant the fourth quietly kept working, which is why half-cleanups produce the "it came back after two days" story. It never left.

How to see the redirect for yourself

You want to look like a stranger, not like the owner. A few ways to do that:

  1. Open a private browsing window, search Google for your site, and click your own listing. Don't type the address directly; the referrer is often the trigger.
  2. Try it from your phone with wifi turned off, so you're on a different network and IP address.
  3. Test again from a second device or a friend's computer, since a once-per-IP payload has already spent itself on your first attempt.
  4. Run my free hacked-site checker, which looks at your site the way an outside scanner does.

If a redirect exists, one of those will usually flush it out. And if you catch it once, don't keep re-testing to make sure. You'll just teach yourself it's "intermittent." It isn't. It's conditional.

How I clean a redirect hack

Before touching anything, I take a full snapshot: files, database, and access logs. Evidence disappears fast once cleanup starts, and the logs are often the only way to learn how the attacker got in. My technical indicators checklist covers what I'm looking for in that evidence.

Then the actual removal. Every injected script has to come out of the database, which on a big site can mean cleaning thousands of posts. Theme files get compared against fresh copies. Unknown plugins get pulled entirely. .htaccess gets rebuilt from a known-good version rather than edited, because malicious rules love to hide near the bottom of a long file.

The step people skip is closing the door. The redirect is a payload, not the break-in itself. Somewhere there's an outdated plugin, a stolen password, or a leftover backdoor file that let the attacker in, and if it stays, so does your problem. Rotate every password (WordPress, hosting, database, FTP), update everything, and check for admin users you didn't create.

What about the damage already done?

Redirect hacks get noticed by more than your customers. Google Safe Browsing may slap a red warning on your site, antivirus vendors may add you to their blocklists, and your search rankings can sag while the spam is live. After a cleanup I check the site against the major blacklists with my free blacklist checker, and when something is flagged, I file the review requests. There's a walkthrough for the Google side in my article on removing the Safe Browsing warning, and if you'd rather have the whole delisting mess handled for you, that's my blacklist removal service.

Rankings recover. In most cases I see them settle back to normal within a few weeks of a genuine, complete cleanup. The sites that struggle are the ones that got half-cleaned three times first.

If you'd rather hand it off

Finding conditional malware is fiddly work, and it punishes guesswork. If the redirect keeps winning, or you just don't want to spend your weekend grepping theme files, my Bulletproof Cleaning package is $195, and I do the work personally: full snapshot, complete removal, entry-point closed, blacklist checks after. Either way, don't leave a redirect running. Every day it's live, it's spending your reputation with Google and with the customers who hit it.

Common questions

Why does my website redirect to another site?

Your site almost certainly has malicious code injected into its database, theme files, a fake plugin, or the .htaccess file. Attackers plant redirect scripts to steal your traffic and send it to pharmacy, casino, or scam pages. It is one of the most common WordPress infections, and it usually means something on the site was outdated or a password was stolen.

Why can't I see the redirect when I visit my own site?

The malware screens visitors before it fires. Most versions skip logged-in users, direct visits, repeat IP addresses, and known security-scanner networks, while targeting mobile visitors who arrive from Google search. As the owner, you fail all its trigger conditions. Test in a private window by clicking your own Google listing from a phone on cellular data.

Will reinstalling my theme fix a redirect hack?

Rarely by itself. Redirect code usually lives in several places at once: the database, theme files, fake plugins, and .htaccess. Replacing the theme removes one copy and leaves the others working, which is why the redirect seems to come back days later. A real fix removes every copy and closes the entry point the attacker used.

Does a redirect hack hurt my Google rankings?

Yes, while it is live. Google may flag the site in Safe Browsing, mark listings with a warning, or demote pages that redirect users to spam. The good news is that rankings generally recover within a few weeks of a complete cleanup and a passed review. Prolonged or repeated infections do more lasting damage than a single quickly-fixed one.

How much does it cost to fix a redirect hack?

My Bulletproof Cleaning package is $195 flat. That covers a full forensic snapshot, removal of the redirect code from files and database, closing the entry point, password rotation guidance, and blacklist checks afterward. A $19.95 Simple Inspection is available first if you want confirmation the site is actually infected before committing to a cleanup.