WordPress Hack Redirects Visitors to Malicious Sites

There are 21 comments, join the conversation

How to Keep Your WordPress Site Secure

Protect Your WordPress Admin Interface

Your WordPress admin panel is a goldmine for criminals. Therefore, you need to restrict access to it as much as possible: only those who need to access it should be able to. In any case, you should restrict everybody’s ability to make changes to your header.php file.

As we’ve seen with this recent redirect attack, hackers with admin credentials to your site can directly and easily make changes to your theme’s header.php file. You can effortlessly disable a user’s ability to edit PHP files in your admin interface by adjusting your wp-config.php file. Simply copy and paste the following code in your wp-config.php file:

# Disable Theme Editing
 define( 'DISALLOW_FILE_EDIT', true );

Other tips for keeping your admin interface secure:

  • Use strong passwords
  • Change all passwords periodically
  • Limit the number of login attempts
  • Check to make sure that no fake admin accounts have been created
  • Do not use “admin” as your admin username
  • Enable two-factor authentication

Update WordPress, Themes and Plugins to Latest Versions

It is critical to update WordPress and all of your themes and plugins to their latest versions. In addition to improved functionality, most updates are provided to address security concerns and vulnerabilities, so update to the latest versions as soon as they are available.

Make Sure Your Computer(s) Is Free of Viruses and Malware

Any precautionary measures you take to protect your site from malware would all be null and void if your computer contains any viruses or malware. That’s because a hacker could access your site’s login details from your computer and swiftly proceed to infect the site. Therefore, it’s important to install a good antivirus program on all computers you use to log into your WordPress site.

Most of us love WordPress for its flexibility, among many other reasons. Indeed, it is the most popular open-source Content Management System (CMS) out there. However, the reasons we love it so much are the very reasons that make it vulnerable to cyber-attacks. It’s important to be aware of that and take the necessary steps to protect your site.

Arnaud, a foodie from Bruges, Belgium, is the editor for the Semper Plugins blog. He also manages the translation teams for All in One SEO Pack (over 58 languages!).

21 comments on “WordPress Hack Redirects Visitors to Malicious Sites
  1. Tracy says:

    Wow, 7.5 million every hour, that is disturbing, interesting post Arnaud, thanks for the warning 🙂 Cheers Tracy

  2. Mike says:

    Helpful article. Thanks a lot.
    What is their initial attack vector? Is it simply gaining admin login access?

    I’m wondering if there is a modsecurity rule that can be created to help prevent this?

    A smart and well-configured modsecurity rule set is a true nightmare for hackers. 😀
    Through some clever rules I’ve written…if I do say so myself 😉 the hacker hits on my WP sites have dropped significantly over the past year.
    Thanks again.

    • Arnaud Broes says:

      Hi Mike

      First of all, thanks for leaving a comment.
      The aim of the hackers is to implement about 12 lines of code so visitors are redirected to other (possibly malicious) sites.

      This, however, is only possible when they have already have gained access to a WordPress login that is able to edit the PHP files of the theme.

      You can address this issue by disabling user permissions to edit PHP files via wp-admin. Implement the following code snippet in the wp-config.php file to disable this feature:

      # Disable Theme Editing
      define( ‘DISALLOW_FILE_EDIT’, true );

      More importantly, you have to secure your WordPress credentials.
      If you ever get hit by an attack, it’s important to change all of your passwords, check if any files were adjusted and scan for rogue admin accounts if you have multiple administrators.

      Just a few more tips to secure your WordPress login:

      – Change “admin” username to something less identifiable
      – Change the login page URL from the default wp-login-php
      – Create complex passwords
      – Limit the number of login attempts in a given time period



  3. Diana L. Faulkner says:


    Thank you for the valuable information. I appreciate that you provided a workaround and tips in your response to Mike. This is valuable information to me.

    Happy Day! =)

  4. Norman Grant says:

    So you’re saying they would have to gain access by password, is that correct? No other way to enter. They can’t skip the password step?

    • Arnaud Broes says:

      It’s most common, but there are also other methods to gain access to your site’s files. FTP is a great example.

  5. Valente says:

    Which security plugin would you recommend and will not cause a conflict with All in One SEO Pack?

    • Arnaud Broes says:

      WordFence is a great one and has no compatibility issues with All in One SEO Pack.
      We also highly recommend iTheme Security.

  6. Kevin Ashwe says:

    Mmmn! Quite helpful. I narrowly escaped an attack last week.

  7. Shariar sameer says:

    Thanks for useful post! I think we must careful about using nulled or free themes or plugins.

  8. Annoyed says:

    Found this post because there is a script that is being injected in the header.php of every site on the server account. Every few days I have to check header.php and remove the block of text above , usually with a ton of spaces above it. It’s unbearable! If the script isn’t removed, Google and other security scanners black list the site for a few days until it’s removed and ask Google to rescan the site. It’s messing with rankings bad!

    So far:
    1. Deleted all WP core files and reuploaded newest version core files.
    2. Deleted unused plugins.
    3. Checked every /uploads directory for .php files (since there should only be images).
    4. Changed admin username.
    5. Changed passwords.
    6. Removed spam users.
    7. Changed FTP password.
    8. Installed Sucuri plugin and hardened everything, installed Wordfence, installed Bad Behavior.

    Non of the security plugins are blocking this and none of them are even alerting that the header.php was modified. IT’S STILL HAPPENING ON A WEEKLY BASIS.

    1. How are they able to inject this script into every site on the hosting account at the same time, even if those sites don’t use the same plugins etc? This is the most frustrating and annoying thing because all of the sites need to have the script removed and all of the sites get blacklisted from Google, etc.
    2. If they are able to get into your files and paste this script in the header.php and they realize you keep removing it, what’s stopping them from just messing with all the files or deleting stuff?

    • Arnaud Broes says:

      To answer your questions:
      1. I’m not really certain that you are facing the same issue that is described in this article. In any case, if you articles keep being injected with code, you’re probably facing an infection of a malicious script on your webserver. You may want to backup all of your sites and clean them up one by one and do a full wipe of your server before restoring your sites again.
      2. There’s nothing stopping them, but there are no gains for most hackers to completely destroy or infect a site. They still want people to visit and make use of the functionality/information on your site.

  9. Emenike Emmanuel says:

    Hi Arnaud,

    Thanks for sharing. Could this be the reason why I’m getting too many spam comments?

    • Arnaud Broes says:

      No, spam comments are just bots or bloggers trying to increase their SEO by creating backlinks from other websites to theirs.
      This is a method that generally does not work because search engines see through this deception and can check the quality of backlinks.
      If you are using WordPress, I recommend that you install a plugin like Akismet to filter valid and invalid comments.

  10. سيو says:

    It’s hard to find experienced people for this topic,
    but you seem like you know what you’re talking about! Thanks

  11. Dennis says:

    Hi, my website was hacked some month ago and we have cleaned it totally, but when ik set an add in Facebook with link to my website, it redirects the first time to a malicious website. I heard from someone that this redirection is always 1 time per IP. Should there still be infected files that creates this redirection?

Leave a Reply

Your email address will not be published. Required fields are marked *


Skip to toolbar