WordPress redirects to other websites – causes and fixes

If WordPress redirects visitors to other websites, treat it as a serious warning sign. Sometimes the cause is a configuration mistake, broken plugin or cache issue, but in real-world incidents it is often malware. A visitor opens your site and ends up on a pharmacy, casino, crypto, adult or scam page. Sometimes it happens only on mobile. Sometimes only from Google search. Sometimes only once per day.

Redirect malware is dangerous because the owner often does not see it. Logged-in admin traffic may look normal. Desktop visits may look normal. But real visitors are already being lost. This can cause revenue loss, reputation damage, Google Ads suspension and SEO problems.

This article explains how WordPress redirect malware works, where to look for it and how to remove it in a way that does not lead to reinfection.

Typical symptoms

Redirect infections often look like this:

• the website sends visitors to another domain,
• the redirect happens only on mobile,
• the problem appears only from Google search,
• ad traffic is redirected but direct traffic is not,
• the first visit redirects, the second one does not,
• incognito mode behaves differently than logged-in admin mode,
• Google Ads reports malicious software,
• Search Console reports a security issue,
• visitors complain, but the developer cannot reproduce it,
• unfamiliar JavaScript appears in the page source.

If your advertising is affected, read the related article about Google Ads malicious software suspensions, because the review process should only start after the site is clean.

How redirect malware works

The attacker wants to send part of your traffic somewhere else. That can be done server-side in PHP, client-side in JavaScript, through database content, via .htaccess rules or by loading an external script.

Common methods include:

• JavaScript redirects inside a theme template,
• infected plugin files,
• PHP backdoors inside uploads,
• <script> injections in the database,
• modified .htaccess rules,
• fake cache files,
• user-agent based redirects,
• referrer-based redirects for Google or Facebook traffic.

A simple JavaScript redirect can look like this:

<script>
  if (document.referrer.includes('google')) {
    window.location.href = 'https://spam-domain.example';
  }
</script>

A PHP-based redirect can look like this:

if (strpos($_SERVER['HTTP_USER_AGENT'], 'Mobile') !== false) {
    header('Location: https://suspicious-domain.example');
    exit;
}

Real malware is usually more obfuscated, but the logic is similar: detect the right visitor, then redirect.

Where to search first

Start with the areas that attackers commonly modify:

.htaccess
wp-config.php
wp-content/themes/*/functions.php
wp-content/plugins/*/*.php
wp-content/uploads/**/*.php
wp-content/mu-plugins/*.php
wp-includes/js/

Also inspect the database. Redirect scripts are often inserted into posts, widgets, theme options, plugin settings or the wp_options table.

Useful search terms include:

window.location
document.location
location.href
eval(
base64_decode
fromCharCode
iframe
onload

But do not rely only on string search. Modern malware can load the redirect from an external source, split payloads into several fragments or activate only under specific request conditions.

Why you may not see the redirect

Redirect malware often tries to hide from admins and developers. It may not run when:

• you are logged into WordPress,
• you already have a cookie,
• you visit from the same IP repeatedly,
• the user-agent looks like a desktop browser,
• the referrer is empty,
• the request comes from a security scanner.

That is why testing should include incognito windows, mobile devices, clean browser profiles, different networks and simulated referrers. HTTP logs can also reveal redirect chains that are hard to reproduce manually.

Cleaning the redirect is not enough

Removing the visible redirect is only the first step. If the attacker still has a backdoor or stolen credential, the site can be modified again.

A durable cleanup should include:

• removing infected files and database injections,
• finding and removing backdoors,
• checking admin users,
• updating WordPress core, plugins and themes,
• removing abandoned plugins and themes,
• rotating admin, FTP, SSH, hosting and database passwords,
• disabling or protecting XML-RPC if it is abused,
• clearing all cache layers,
• reviewing server logs for the original entry point.

If a security plugin says the site is clean but redirects still happen, see Wordfence says the site is clean, but it is still infected.

Prevention after cleanup

Prevention is about reducing the chance of the same incident returning:

• keep plugins and themes updated,
• remove unused plugins and themes,
• use strong passwords and two-factor authentication,
• limit admin accounts,
• monitor file changes,
• monitor HTTP request patterns,
• keep frequent off-site backups,
• test backups before you need them,
• use a managed update process that can roll back if a plugin update breaks the site.

Backups matter, but backups alone are not security. If the vulnerability or leaked password remains, restoring the site simply restores the next infection target.

When to act immediately

Treat the incident as urgent if redirects affect paid traffic, checkout pages, lead forms, customer portals or high-ranking SEO pages. Redirect malware damages trust quickly and can spread into advertising, analytics and search visibility.

The right fix is not only to stop the redirect. It is to find why it was possible, close the entry point and monitor the site afterwards.

• WordPress
• redirect
• malware
• SEO spam