What this problem is
Your site redirects visitors to spam, adult content, or phishing pages.
Why it happens
- Injected redirect code in .htaccess or server config
- Compromised plugin/theme files
- Database injection in
wp_optionsor post content - Malicious admin user created
Prerequisites
- Backup access (for clean restore reference)
- FTP/File Manager and phpMyAdmin access
- Security scan tools (optional but useful)
Diagnosis
- Test redirects in an incognito window and on mobile networks.
- Check .htaccess and wp-config.php for suspicious rules.
- Check database for injected scripts in options and content.
Detailed steps
Step 1) Take the site offline (optional) and back up evidence
Do not delete immediately if you need forensics, but prioritize stopping harm to users.
Step 2) Clean .htaccess and server redirects
Remove unknown rewrite/redirect rules and regenerate permalinks later.
Step 3) Replace compromised files
Reinstall WordPress core and reinstall plugins/themes from trusted sources. Remove unknown plugins.
Step 4) Clean database injections
Search for suspicious JavaScript, iframe, and redirect domains in wp_options, posts, and widgets.
Step 5) Reset credentials and SALT keys
Reset admin passwords and regenerate SALT keys (covered in a dedicated article).
Expected results
- Redirects stop and site is clean and stable
What to do if it fails
- Restore from a known-clean backup and patch the vulnerability that caused the hack
Best practices
- Keep WordPress/plugins/themes updated
- Use WAF and least-privilege accounts
- Enable 2FA for admins