Issue with WordPress Website Redirecting

**Aidan90** · 15 November 2019, 11:02 am

Hi All,

Not sure if this is the best place to post this but I've had some issues with my site redirecting to a third party spammy bonus site.

I've tried to pinpoint the cause but struggling to find it.

It doesn't happen every time, only occasionally and tends to happen on a click from a Google search result for my brand name or from a social link.

Every time I think I've got rid of it, I end up seeing it again a few days later. It's been happening about a week now.

Firstly, I'd be grateful if anyone could let me know if this has happened to them while trying to access my site and of course any recommendations on how to solve it for good would be great.

**newcustomeroffer** · 15 November 2019, 11:08 am

Originally Posted by Aidan90

Firstly, I'd be grateful if anyone could let me know if this has happened to them while trying to access my site and of course any recommendations on how to solve it for good would be great.

Just accessed your site via google and it was fine.

Had something very similar on a non-gambling site a few years back where the .htaccess file got hacked. Replaced the .htaccess and changed all the FTP details and it went away. That was an html site though so maybe something different causing it via wordpress. Best of luck sorting it.

**ddm** · 15 November 2019, 11:10 am

your site is hacked 100% @ OP. What is the URL ?

**Aidan90** · 15 November 2019, 11:36 am

www.footballbetprofit.com

Originally Posted by ddm

your site is hacked 100% @ OP. What is the URL ?

**tufty** · 15 November 2019, 11:40 am

Originally Posted by ddm

your site is hacked 100% @ OP. What is the URL ?

Unfortunately this is true. 100% it has been hacked. Don't ignore your issue because the problem doesn't always happen. You need to clean the site or get an expert to do it or a trusted plugin to do the job. Others may advise the best plugins better than me. I had similar problem myself and the plugins I used only did part of the job.

**Aidan90** · 15 November 2019, 11:46 am

Yes I was pretty sure that was the case. I've installed a couple of security plugins and been ruthless with deleting any files they have flagged as being suspicious. It's just really difficult to know whether it's been fixed or not when it doesn't happen constantly.

I removed some suspicious code from my wp-config file earlier and I've not had the issue reoccur since then but not convinced.

I'm at the point now where if it happens again I'm going to have to pay someone or some software/plugin to fix it for good.

**universal4** · 15 November 2019, 2:40 pm

I hope you changed the ftp and all word press passwords

Rick
Universal4

**sweetbet** · 15 November 2019, 6:19 pm

It sounds like it's definitely been hacked. Personally, I would delete and re-create the hosting account before uploading the backup files. You might also want to significantly beef up your website security. I had to do the same thing to some of my sites last year. It's more annoying and time consuming than anything else. Also, as far as securing your website goes, the Wordfence WordPress security plugin is a must have for everyone running a wordpress site.

**DanHorvat** · 15 November 2019, 9:07 pm

If you found and deleted suspicious code (that is doing the redirect), there's probably a file that's producing that code and is putting it into files. You need to find and delete that master file to fix this. That's why the problem can reappear even after you delete the suspicious code.

Look into your MySQL database as well, as it probably has malicious code in it.

If your hosting provider has a backup that's from a time before the hack, just ask them to restore that backup for you. Copy all the articles you posted in the meanwhile and then manually publish them again.

**baldidiot** · 16 November 2019, 5:41 am

Simply deleting files isn't likely to totally get rid of the problem - I would just pay 100 bucks to a security company to properly scan the site and then fix it for you. Will be a lot faster and a lot less of a headache.

**Aidan90** · 18 November 2019, 7:42 am

First of all, big thanks to everyone for their comments and suggestions, this community is really great.

I've discovered and deleted the file that was adding the code to the wp-config file which was hidden in a plugin.

I've installed the Wordfence and Securi plugins to scan for any further changes and have changed all passwords.

Any re-occurrence from this point and I'll be contacting an expert straight away.

**ufebetting** · 18 November 2019, 6:17 pm

What's the problem? infected popup? if so, delete the file wp-tmp. also your website is very slow. I recommend wp cache extension.

**Aidan90** · 19 November 2019, 4:28 am

It was the Insert Headers and Footers plugin that was infected. No signs of re-occurrance yet.

**ddm** · 19 November 2019, 4:34 am

good stuff. hoping your disease is cured!

**baldidiot** · 19 November 2019, 4:40 am

Originally Posted by Aidan90

It was the Insert Headers and Footers plugin that was infected. No signs of re-occurrance yet.

Was the plugin up to date? If so you might want to report this to the plugin developer.

**PromoteCasino** · 19 November 2019, 9:32 am

Originally Posted by Aidan90

It was the Insert Headers and Footers plugin that was infected. No signs of re-occurrance yet.

What was the dodgy code mate? Just, realized I have that plugin installed?

**allfreechips** · 19 November 2019, 9:57 am

I had an older WP site get hacked and ive been tracking it down, pretty insane amount of work these scripts go though, but if you want to see an entry point I made a script to log all post events, im actually running this along with wordfence now and its very interesting the amount of base64 attacks you see attempted on themes, plugins ext..

if you want to see try this, beware though if you actually authenticate (log in) it will record your login in the log and you do not want that info out there so be sure to delete it if you do.. I added a mylogin you can exclude name but password will still appear!

Place this at the top of config file and create mylogfile.txt file in same directory

Code:

$mylogin ="Your Username";
$date = date('m/d/Y h:i:s a', time());
$filename = "mylogfile.txt";
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
$text = "";
if ($_POST){
foreach($_POST as $key => $value)
{
    if ($value != $mylogin){
       $text .=  "\n post - ".$date ."\n".$actual_link."\n".$key." : ".$value."\n";
    }
}
file_put_contents($filename, $text, FILE_APPEND | LOCK_EX) ;
}

**affsbay** · 19 November 2019, 2:23 pm

If you are sure that you got rid of all the virus code just make a backup then you can easily fix your site (if it's happens again) and don't have to search virus in every file. You can scan the backup as well to be sure that it is clean

**universal4** · 19 November 2019, 3:40 pm

allfreechips, I have not looked very close at what you wrote, and you state you don't want the login info "out there", but can you move the logfile outside of the web so that it can only be accessed while on the root web server?

Rick
Universal4

**allfreechips** · 19 November 2019, 4:11 pm

of course you can, but if php can write to it, a hacker can get to it..

you could change the write to an email, but you will get a lot lol.. many many base64 attacks, so much that ill prob kill any post that has a 'base64' in the value

Thread: Issue with WordPress Website Redirecting

LinkBack

Thread Tools

Search Thread

Display

Issue with WordPress Website Redirecting

The Following User Says Thank You to DanHorvat For This Useful Post:

The Following User Says Thank You to baldidiot For This Useful Post:

The Following User Says Thank You to Aidan90 For This Useful Post:

The Following User Says Thank You to Aidan90 For This Useful Post:

The Following User Says Thank You to ddm For This Useful Post:

Posting Permissions