Occasionally, you may encounter a situation where your website is automatically redirected to another site even though you did not take any action. This is a clear sign that your website has been hacked and malicious code has been injected into it by hackers. In the article below, Gencontent will provide you with a checklist of areas that need to be inspected in order to remove those harmful codes.
Analyzing the issue of a Website Automatically Redirecting to Another Site
The website redirect issue does not happen frequently. When you access the site using a new browser, a new Wi-Fi network, or a new 5G connection with a different IP address, the website may redirect once—possibly to gambling sites, betting platforms, or affiliate sales pages. However, after returning to the homepage and continuing to browse, everything appears normal.
At this point, you might dismiss the suspicion that your website has been hacked, assuming it is just a minor glitch and not attempting to fix it. Meanwhile, new visitors to your site are consistently being redirected without you even realizing it.
According to research from multiple sources on Reddit, this behavior is believed to be caused by malware that tracks visitors’ IP addresses. On the first visit, the malware triggers a redirect request. On subsequent visits from the same IP address, the malicious code does not send any further redirect requests. It only activates again when accessed from a different IP address.
There are countless places within a website where malicious code can be injected. Below, Gencontent outlines several commonly reported locations you should check, along with measures to strengthen your website’s security. Using ChatGPT to troubleshoot this issue only provides limited assistance and can be very time-consuming. I personally spent an entire afternoon working on it without achieving a complete resolution.
How the Malware Operates
This malware combines several advanced techniques and exploits the WPCode (Headers and Footers) plugin to carry out its malicious activities:
Domain Routing and TXT Lookup
The malware routes traffic through dns-routing.net and uses cdn-routing.com to perform TXT record lookups. These lookups return domain names encoded in Base64 format. The malware then decodes these domains to determine where users should be redirected.
Conditional Redirect
The malware strategically triggers redirects by checking conditions such as IP address and device type (e.g., mobile phone or iPhone). It only activates the redirect once every 24 hours per IP address, reducing the likelihood of detection.
Administrator Account Creation
The malware can create new administrator accounts by injecting malicious code directly into the database. This technique bypasses standard file system checks and exploits WPCode’s ability to execute PHP code. In fact, when I used Wordfence, I detected hundreds of login attempts using fake usernames combined with simple common password lists.
Solutions for Fixing Website Redirect Issues
1. Identify the Source of Infection
You need to check the following WordPress system files:
-
.htaccess -
wp-config.php -
class-wp.php -
/wp-content/themes/…/functions.php(check both the main theme and child theme)
If you find unusual code snippets, inspect them carefully. Look for slightly altered file names, suspicious external links, or unclear/obfuscated characters. You can copy suspicious code into ChatGPT for analysis.
After making changes, clear your cache and test the website again using incognito mode and a 5G connection to see whether the redirect still occurs.
.htaccess and wp-config.php files.2. Use a Malware Scanning Plugin
I recommend using Wordfence and Sucuri Security. You can run scans with both plugins one after the other. I did this myself and received two different results.
Wordfence did not detect any infected files, but it blocked hundreds of unauthorized bot access attempts. These bots were trying to log into the website using fake usernames and simple, commonly used passwords.
Sucuri Security, on the other hand, identified a malicious file located inside the WooCommerce directory. The file was deeply nested and named similarly to what appeared to be an important system file. After deleting this file, my website has no longer shown any signs of being redirected.
3. Remove Unused, Outdated, and Pirated Plugins – Then Reinstall
Using pirated plugins is one of the main reasons websites become infected with malware. If possible, you should always use official, licensed plugins. If not, at the very least, use verified versions or purchase licenses from reputable group-buy websites.
On Gencontent.top, I mostly use free plugins from the official WordPress repository, and I simply skip certain premium features.
Go to cPanel → wp-content → plugins, and rename each plugin folder (for example, add the number “1” at the end of the folder name) to test them individually.
Alternatively, you can delete all plugins and reinstall them from scratch. However, make sure to reinstall only free versions from the official WordPress repository or verified versions you have uploaded.
Depending on whether you have many premium plugins available, choose the appropriate method. Even if your plugins are licensed, it is still recommended to remove and reinstall them. The cleanest way to delete them completely is through cPanel.
4. Review User Accounts and Reset Passwords
During the investigation, I found several suspicious user accounts on my website. Their usernames consisted of random characters and letters, yet they were assigned the role of Shop Manager instead of a regular user. This was unusual because the website should only have me and three admin accounts.
I immediately removed all accounts with higher privileges than customers, keeping only the legitimate admin and customer accounts.
Next, change the passwords of all existing admin accounts. Make sure each password contains at least 12 characters, including lowercase and uppercase letters, numbers, and special characters such as ! and @.
5. Final Check and Disable File Editing
Use incognito mode and a 5G connection, or reset your Wi-Fi modem and test the website again. If everything is working properly, you should disable file editing within WordPress.
Go to cPanel, edit the wp-config.php file, and add the following line right before:
/* That's all, stop editing! */
This code hides the theme file editor in the WordPress dashboard. If you need to edit theme files later, you can either change true to false or edit the files directly through cPanel.
6. The Final Option
If all the efforts above are still unsuccessful, your last option is to completely reinstall the website as if it were a brand-new site.
Back up all posts, products, media files, and uploads from your hosting account. Note that you should back up each section individually instead of creating one full backup file as usual. For example, you can copy each article into Google Docs and create a Google Sheets file to manage URLs and content structure.
Download the latest version of WordPress. Delete the entire website from the public_html folder, remove the database, and reinstall everything from scratch.
Once the new website is set up, start reinstalling plugins and re-uploading the content.
There is another method that I have not personally tried, but you may consider it:
-
Back up each section individually as mentioned above.
-
Download the latest WordPress installation package.
-
Instead of deleting the website and reinstalling it, overwrite the WordPress core files one by one into the existing website—replacing each file and folder individually.
This approach is also time-consuming, but it may save you the effort of fully backing up and reposting all blog articles and products.
These are all the solutions Gencontent has compiled and personally implemented on several platforms we manage to fix the issue of a website automatically redirecting to another site. If you encounter other cases or have different solutions, feel free to leave a comment so I can update this guide.
We provide professional website management and SEO services. You can learn more at the following link:
https://gencontent.top/dich-vu-quan-ly-website-chuyen-nghiep/
You can also explore more useful website management experiences in the SEO Website Knowledge category.
Leave feedback about this