WordPress hacked with redirect

One of the most common hacks on WordPress that have not been maintained correctly is that of redirects to other sites.

A few days ago I got a WordPress 3.4.x (we currently have version’s 5.3.x) that, obviously, was completely outdated, both the core and plugins. The theme was tailor-made. It also had PHP 5.6.x.

How to correct this problem?

To begin with, I have to say that this correction that I propose is very radical, so the site may stop working, and important changes have to be made, but the objective is that everything ends up to date.

Another important thing is that you should have a backup of the entire site and database.

Finally, it will be necessary to have SSH access to the server where the site is and have WP-CLI to facilitate the tasks. It can be done more manually, but with WP-CLI the whole process is facilitated.

The steps

The first thing to do is to update everything. Beastly, yes. To do this we will update the core, plugins, themes and translations.

To begin with, we will execute several commands. We will update and own WP-CLI, and then the kernel and the rest of the elements.

wp cli update
wp core update --force
wp core update-db
wp plugin update --all
wp theme update --all
wp language core update
wp language plugin update --all
wp language theme update --all

With this, we will have everything up to date and a good chance that something will not work.

The next thing we will try to do is enter the WP-Admin from the address like this:

https://example.com/wp-admin/

If when entering we have redirection problems, we will make a first review of the WP-Config file. My recommendation is to apply a somewhat aggressive version based on the file generated by default WP-Config. Above all, it is important to configure the Site URL and Core files URL with the correct URL to avoid those redirects.

With this we should be able to access the WordPress management panel itself, although surely if we enter the main page we will still have the redirects.

The next thing we can do is investigate what kind of redirect we have. Still, if we go to the fast mode, it is very likely that what has been done is a redirect via JavaScript. By default, in the entries of a site with WordPress, there should be no codes <script> so we will focus on these not loading.

To do this, what we will do is replace the scripts with something that we can execute. How? Well, substituting <script for <scr1pt, for example. For this we will use a replacement system of the WP-CLI itself.

wp search-replace '<script' '<scr1pt'

With this, we will prevent the scripts that have been included within the entries from being loaded.

In general, with these steps, we will have one place a day and with the possibility of having everything up to date. While it is true, that this last step would be enough to fix the problem, the focus of the update comes because surely the system has security holes and, promptly correcting the scripts, would be of no use since soon it will be vulnerable again.

This problem is one of the many that you can find if you do not do maintenance of your site but, obviously, each case can be different, so before acting, check that really the problem you have is similar to the one I mention.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.