A redirect hack is a type of tampering in which a hacker alters site data or theme files to force users to go to a page that the hacker wants them to go to instead of the page they originally wanted to see.
The following is an explanation of a common example of a redirect hack, in which clicking on a link on a site sends the user to a different site.
How Redirect Hacks (Link Replacement Type) Work
This type of tampering is performed by a code called JAVASCRIPT, which is a script executed on the browser side.
The code that directs all links to an unintended site looks like the following
<script>var anchors = document.getElementsByTagName("a");
for (var i = 0; i < anchors.length; i ) {
anchors [i].href = "URL of the site you want the link click to take you to";
}</script>
However, in many cases, this code is obfuscated as follows so that it is not easy to know which site to jump to.
Commonly tampered (infected) sites
Redirect hack tampering is often embedded in Javascript code where it can be executed on any page.
1 Theme files
Often embedded in header.php, footer.php, single.php, and index.php included in the theme.
2 WordPress configuration file
It is also often embedded in the wordpress configuration file wp-config.php or index.php in the root folder that is always accessed when displaying the wordpress site.
3 Database
The redirect hack is a JAVASCRRIPT, so it may be embedded and executed in the wp_posts table in individual pages in the database or in the wp_options table in the settings storage.
How was it tampered with?
Redirect hacks can also be implemented by rewriting part of the database due to a vulnerability in the plugin, so if tampering exists only in the database, a relatively minor vulnerability may allow malicious code to be written to some of the plugin’s settings.
However, there are cases of more serious hacking (e.g., taking administrative privileges, backdoors in the server due to plugin vulnerabilities, etc.), so professional help may be required if the tampering is repeated.
How to deal with redirect hacks
Even if the malicious code is obfuscated, only the start script tag, which indicates the code, cannot be obfuscated.
Therefore, it is possible to remove it by looking in the database for posts or configuration tables that contain the script string and examining them for the illegal character code.
Also, we recommend the following security measures to be taken after removing the malicious code by visually inspecting the theme files that are susceptible to the above mentioned infections.
Make sure you have the latest version of WordPress and plug-ins.
Change user passwords.
If there is no update for the vulnerable plug-ins, stop using them and use other plug-ins instead.
Check for updates to vulnerable plugins.
A malware scanner developed by WordPress Doctor can also scan and detect redirect hacks.
[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
