This section describes a type of malware that is spreading to a large number of files on a very large number of sites these days, in which clicking on various elements of a site sends the user to a different malicious site.


Redirect hack that redirects you to a malicious site without your permission in rare cases when you click on a link on the site.

This malware modifies and embeds malicious JAVASCRIPT code in many of the core WordPress files.

*Examples of core WordPress files that are tampered with
wp-activate.php
wp-mail.php
xmlrpc.php
wp-comments-post.php
wp-signup.php
wp-load.php
index.php
wp-blog-header.php

etc., write the following JAVASCRIPT code in the files as you see fit.

This malware is characterized by placing a malicious event over every clickable element on the site, and sending the user to another malicious site by opening a new window for each link click.

It also records the time in the user’s COOKIE, and once the user is redirected, the redirection is not triggered for a certain period of time, delaying detection.

The incorrect redirects are often to URLs such as the following

bit.ly/random string
ois.is/images

How to deal with malware that redirect hacks

Since this malware infects legitimate WordPress files, it is possible to remove the malware by downloading and replacing the legitimate WordPress core files with each WordPress core file.

You can also use the [Free] WordPress:Malware Scan & Security Plug-in to detect and remove the malware.

Dealing with Vulnerabilities

If the core files of WordPress have been tampered with, the following vulnerabilities may exist in the site. We believe that it may be necessary to address these vulnerabilities as well.

The administrator rights of WordPress have been hijacked.
A vulnerability caused by a plugin has been exploited and a program has been installed somewhere to tamper with the site.
Other sites on the server are infected, and the site is being tampered with via a folder on that site.

Reference page on how to deal with this problem
5 free WordPress security measures
Easy WordPress Security Improvement Checklist

Related Posts:

  1. Clickjack to hijack link clicks on WordPress sites
    There has been an increase in the number of malware victims, such as WordPress sites that suddenly send you to another site with a certain probability when you click on a link, the link does not work, or a new window opens and an advertisement appears. We will explain this type of malware called clickjacking....
  2. A case of malware embedding where WordPress sends you to another site without your permission for robot verification.
    There has been a recent increase in cases of redirect hacks where WordPress sites are redirected to another site for robot verification without permission. Here are some examples of this malware embedding and how to deal with it....
  3. WordPress site defacement hacking for SEO purposes. what is SEO spam?
    The most common type of WordPress tampering these days is the hacking of WordPress sites for SEO purposes. We will explain this SEO spam....
  4. What is phishing and what is a fake Google login screen on a WordPress site?
    This section describes phishing that displays a fake Google login screen on a WordPress site....
  5. What is the most common vulnerability cross-site scripting in WordPress?
    The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability....
  6. What to do when a WordPress site displays a red screen saying “This site may cause damage to your computer.
    This section explains how site operators can deal with a red screen on a WordPress site that says “This site may cause damage to your computer....