Visitors click your Google listing but land on a casino, adult, or scam page? We manually hunt and remove the conditional redirect scripts hidden in your .htaccess, database, theme files, and fake plugins — then close every backdoor so it can’t come back.
Last updated: June 2026 · Reviewed by the FixHackedWordPress malware response team
Symptoms We Cure
Fix-First, Pay-Later Guarantee
We clean the redirect first. If we can’t secure your site, you pay nothing.
Quick Answer
A WordPress redirect hack is a malware infection that injects conditional code into your files or database so visitors are forcibly sent to spam, scam, or affiliate sites — usually only under specific conditions (mobile users, visitors arriving from Google, or first-time visitors) so the site owner rarely sees it. Fixing it means finding and removing every injected script and the hidden backdoors that re-add it, not just restoring a backup.
Removal at FixHackedWordPress includes manual cleanup of .htaccess, the wp_options and wp_posts tables, theme and core files, backdoor and rogue-admin removal, root-cause patching, and Google blacklist clearance. Restoring a clean backup alone almost always leads to reinfection within days.
4–12 hrs
Typical turnaround
Manual
Line-by-line, not just a scanner
Backdoors
Removed so it stays gone
$0
If we can’t fix it
Diagnose It First
Redirect malware behaves differently depending on where it’s hiding. Match what you’re seeing to the most likely location — this is exactly how our team narrows the hunt on day one.
| What you’re seeing | What it usually means | Where it tends to hide |
|---|---|---|
| Redirect only on mobile | Code is checking the User-Agent and cloaking from desktop/admins | .htaccess rewrite rules or injected header script |
| Redirect only from Google clicks | Code is checking the HTTP referrer to dodge direct visits | .htaccess or theme functions.php |
| Whole site / homepage redirects | Your site address has been overwritten in the database | siteurl / home in wp_options |
| Only posts/products redirect | Malicious scripts injected into stored content | wp_posts / widget & theme-option records |
| Fake CAPTCHA / “click Allow” | Browser-permission hijack for push-notification spam | Obfuscated JS in header/footer or a rogue plugin |
| Cleaned it, but it came back | A backdoor or hidden admin is re-injecting the payload | uploads folder, mu-plugins, hidden admin user |
Not sure which one you have? That’s normal — redirect malware is built to hide. Send us your URL and we’ll identify the variant for you.
Threat Intelligence
Most “redirect hacks” trace back to a handful of well-documented operations. Knowing which one you’re dealing with tells us where the backdoors are hidden and how it reinfects.
Documented by GoDaddy security researchers, this operation has run since 2016 and has compromised 20,000+ WordPress sites, generating roughly 10 million scam impressions per month. It reinjects itself on every page load, spreads PHP across all active plugins, quietly installs a hidden WPCode plugin, and creates rogue admin users with random 32-character names — which is why DIY cleanups almost always reinfect.
Active since 2017 and tied to an estimated 1 million infections, Balada injects redirect scripts into header.php and .htaccess, frequently exploiting known theme/plugin flaws (such as tagDiv Composer and the Newspaper theme). It seeds multiple backdoors so a single missed file restores the whole infection.
Visitors are pushed to a convincing “Update your browser” or fake Chrome/Flash prompt that delivers malware. These rely on heavily obfuscated JavaScript injected into legitimate-looking script files, designed to slip past signature-based scanners.
Many campaigns funnel hijacked traffic through a Traffic Direction System that profiles each visitor by device, location, and referrer before choosing where to send them. That filtering is exactly why your site “looks fine” to you but redirects real visitors — and why a quick browser test isn’t enough to confirm a clean site.
The payload inspects the HTTP_USER_AGENT and only hijacks iPhone/Android users. Desktop visitors and logged-in admins see the normal site, so owners often don’t believe they’re infected until customers complain.
A counterfeit Cloudflare or reCAPTCHA screen asks the visitor to “click Allow to verify you’re human,” granting browser-notification permission that then floods their device with spam — damaging your brand long after they leave.
Sources: published threat research from GoDaddy, Sucuri, Wordfence, and Patchstack. We track indicators of compromise from these campaigns so removal targets the real infection, not just the visible symptom.
Automated plugins fail because they scan the obvious files. Redirect malware buries conditional logic deep in your stack and leaves backdoors so it can rebuild. Here’s every place we manually inspect.
Apache RewriteCond rules intercept traffic before WordPress even loads, often targeting visitors whose HTTP_REFERER is Google — hijacking the session at the server level.
Attackers overwrite siteurl and home in wp_options, or hide base64-encoded scripts inside widget options, theme settings, and wp_posts content.
Malicious window.location scripts encoded with eval, base64_decode, or String.fromCharCode, slipped into header.php, footer.php, or files disguised as jQuery.
Rogue plugins (and abused tools like WPCode) hidden from the plugin list, plus must-use plugins in wp-content/mu-plugins that load silently on every request.
PHP web shells dropped into wp-content/uploads and other write-heavy folders — the persistence layer that reinstates the redirect after a naive cleanup.
Hidden administrator users (sometimes with random 32-character names) let attackers walk back in and re-infect. We audit every account directly in the database.
Simple Pricing
No tiers, no upsells. One price to remove the redirect malware and secure your site.
$75 flat, to start
Complete redirect removal and hardening — one site.
Fix-first, pay-later · you only pay once it’s clean
Make Sure It’s Actually a Redirect Hack
These get confused constantly. A redirect hack reroutes live visitors. The infections below leave your URLs working but poison what’s indexed or shown. If your symptom matches a row better, that page is the right fix.
| Infection | Tell-tale symptom | Get the right fix |
|---|---|---|
| Redirect malware | Visitors are forcibly sent to another site | You’re on the right page |
| Japanese SEO spam | Hundreds of Japanese/keyword pages indexed under your domain | Japanese SEO spam removal |
| Pharma hack | Viagra/Cialis titles & meta in your search listings | Pharma hack removal |
| Google blacklist / warning | “Deceptive site ahead” red screen or Search Console flag | Blacklist removal |
| Not sure | Mixed or intermittent symptoms | Free infection check |
Redirect hacks and SEO-spam infections often co-occur from the same break-in — if you have one, it’s worth checking for the others. We scan for all of them during cleanup.
Methodology
Restoring a backup won’t save you. You have to eradicate the hidden backdoors, or the attackers reactivate the redirect tomorrow. Here’s how we make it permanent.
We reproduce the redirect across mobile, referrer, and incognito conditions to confirm the variant, map the full infection, and locate dormant PHP shells in obscure folders.
We strip obfuscated JavaScript from theme files, sanitize the database with targeted SQL, and restore wp-config.php, .htaccess, and core files to clean defaults — without breaking your content.
We find the exact “patient zero” vulnerability, remove rogue admins and backdoors, enforce file permissions, rotate keys, and lock down login — so the same hole can’t be reused.
If Google flagged you or your host suspended the account, we submit the security-review requests to Google Safe Browsing and your host to get traffic flowing again.
Scanners rely on known signatures. Redirect malware defeats this by obfuscating its code into apparent gibberish and writing custom backdoors for your specific site. Some campaigns even tamper with the scanner’s own files to stay hidden. Reliable removal takes manual, line-by-line inspection.
A backup restores files but not security. The vulnerability that let attackers in is still there, and any backdoor in your uploads folder or a hidden admin account simply re-infects the fresh files. If your backup is recent, it may already contain the malware.
Because the malware checks conditions before firing. It reads the device (User-Agent) and the referrer, so it can hijack mobile users or Google visitors while showing you — the admin on desktop with direct access — a perfectly normal site. It often drops a cookie so each visitor is redirected only once, making it even harder to reproduce.
Usually, yes. Once the malicious code is gone and the site is secured, Googlebot can index your real content again. A “Deceptive site ahead” warning typically clears within about 72 hours of a successful review request, and rankings tend to recover as the warning lifts. Acting fast limits the damage.
Because redirect hacks actively drain traffic and damage SEO, we treat them as emergencies. We typically begin diagnostics within an hour, and most sites are fully cleaned, patched, and secured within 4 to 12 hours.
You can try, but the risk is reinfection. Many campaigns reinject on every page load, hide rogue admin accounts, and scatter backdoors across plugins and the uploads folder. Removing the visible redirect without closing every entry point usually brings it back within days. If you’re comfortable in the database and server files you can attempt it — otherwise a professional cleanup is faster and safer.
Because we remove the cause, not just the symptom: we patch the entry-point vulnerability, delete every backdoor and rogue admin, rotate security keys, and harden file permissions and logins. We also re-test under the exact conditions that triggered the redirect (mobile, referrer, incognito) before we call it done.
Conditional malware hides from scanners and from your own browser. It may only trigger for mobile users, search-engine referrers, or first-time visitors, and it can obfuscate itself past signature databases. A “clean” scan doesn’t guarantee a clean site — manual verification does.
We work on a fix-first, pay-later basis: we clean and secure your site first, and if we can’t eradicate the redirect malware, you pay nothing. Contact us with your URL for a quote.
We start immediately. If we can’t completely eradicate the redirect malware and secure your site, you pay absolutely nothing.
100% risk-free · Fix-first, pay-later