WordPress Hacked Redirect: How to Fix It Fast (2026)

Last updated June 2026. Written by our senior WordPress incident-response team.

You typed your own domain, hit enter, and landed on some pills-and-casino page you've never seen. Or your site looks perfectly fine on your laptop, but a customer just texted you a screenshot of it bouncing to spam on their phone. That's the signature of a WordPress hacked redirect, and the panic it causes is real. Here's the reassuring part: this is one of the most fixable infections in the WordPress world — if you work in the right order. We've cleaned this exact attack dozens of times, and the pattern barely changes.

Before we start: no host on earth makes a site unhackable. But on isolated, daily-backed-up stacks — the kind managed hosts like Hostaccent run — a redirect hack drops from a multi-day nightmare to a single clean restore. Either way, let's get your site clean by hand so you understand exactly what was done to it.

Quick Answer: A WordPress hacked redirect is malicious code injected into your .htaccess, wp-config.php, theme files, or database that bounces visitors to spam or scam sites. To fix it: back up the current state, find and remove the injected code in those places, replace WordPress core, delete rogue admin accounts, reset every password and security key, then request a review in Google Search Console. Most sites are clean within an hour.

How to Confirm It's Really a WordPress Hacked Redirect

The cruelest thing about a redirect hack is that you often can't see it. Attackers fingerprint visitors and only fire the redirect under specific conditions, so the owner — logged in, on desktop, visiting directly — sees a perfectly normal site.

Three signatures show up again and again:

• Mobile-only redirects. The site is fine on desktop but bounces to spam on phones. Mobile user-agents are the most common trigger.
• Logged-out redirects. Anyone not logged into wp-admin gets redirected; you, logged in, never do. This is why owners swear their site is fine while customers see junk.
• Search-referral redirects. The hack only fires when someone arrives from Google. Type the URL directly and it behaves; click it from a search result and you're gone.

To reproduce it, open the site in a private window, switch your browser's device mode to a phone user-agent, and click through from a Google search result. If any of those bounce you to an unfamiliar domain, you've confirmed a WordPress hacked redirect.

Pro Tip: Before you change anything, copy the exact spam URL you're being sent to and write down the conditions that trigger it. When you re-test after cleanup, you'll know instantly whether you killed it or just missed a copy.

First Moves: What to Do in the First Ten Minutes

Resist the urge to start deleting files. Your first job is to preserve evidence and lock the doors.

1. Take a full backup of the hacked state. Yes, the infected one. You may need to compare files later, and you never want fewer copies during an incident.
2. Write down everything — the redirect destination, when it started, what you changed recently, which plugins updated last.
3. Change every password now: hosting/control panel, WordPress admin, database, FTP/SFTP, and the email tied to the site. Assume all of them are compromised.
4. Pull the site offline if you can. Maintenance mode or a temporary holding page stops the reputation damage and protects visitors while you work.

If your hosting includes daily backups, find the most recent snapshot from before the redirect appeared — that's your clean restore point and your fastest route back. A backup taken after infection just restores the malware, so the timestamp matters more than anything.

That single detail is why automated, versioned backups belong near the top of any setup. The WordPress Security Hardening Guide: Protect Your Site Before It Gets Targeted walks through getting them in place before you ever need them.

Where the Redirect Hides: Injection Points in Priority Order

A WordPress hacked redirect almost always lives in one of five places. Check them in this order — it roughly matches how common each one is.

1. The .htaccess file. This is ground zero. Attackers add a rule that catches visitors before WordPress even loads. You'll often see something like this:

bashCopy
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (android|iphone|mobile) [NC]
RewriteRule ^(.*)$ https://spam-domain.example/ [R=302,L]
</IfModule>

Check the .htaccess in your web root and any inside subfolders — there's frequently more than one. The official WordPress.org guide on what to do when your site is hacked is worth keeping open as a second reference while you work.

2. wp-config.php. Look for base64_decode, eval(, gzinflate, or any block of gibberish near the top or bottom of the file. A legitimate wp-config.php is short and readable.

3. Theme files — especially functions.php. Injected PHP here re-adds the redirect on every page load, which is how sites get "reinfected" minutes after a clean. Check the active theme first, then every inactive theme.

4. The database — wp_options. Check the siteurl and home values. If either points to a domain that isn't yours, that alone redirects your entire site. Then scan wp_options for suspicious autoloaded entries.

5. Post content — wp_posts. Injected <script> tags hiding in post or widget content fire client-side redirects that file scans miss entirely.

Insider Insight: The single most-missed locations are a malicious WordPress cron job and a second hidden admin user. You can scrub every file perfectly and still get re-hacked because a scheduled task rewrites your .htaccess overnight. We kill both in the next step.

How to Clean It Out Without Leaving a Backdoor

Now you remove, in order:

1. Strip the redirect from .htaccess. Delete the injected block. If you're unsure which lines are legitimate, replace the whole file with a clean default WordPress .htaccess and re-save your permalinks afterward.
2. Replace WordPress core. Download a fresh copy from WordPress.org and overwrite wp-admin, wp-includes, and the root core files entirely. This wipes any injected core file in one move.
3. Clean wp-config.php and theme files of the eval/base64 blocks you found.
4. Fix the database. Reset siteurl and home in wp_options to your real domain, and remove injected <script> tags from wp_posts.
5. Delete rogue admin users. In Users → All Users, remove any administrator you don't recognize, then change the remaining admins' passwords.
6. Audit WP-Cron. Remove unknown scheduled events that could re-inject code.
7. Scan. Run a reputable malware scanner (Wordfence, Sucuri, or MalCare) to catch what you missed, and compare your file tree against a known-clean install.

When we handle a redirect cleanup on a Hostaccent account, the isolation between accounts means the infection can't have hopped in from a neighbor, which narrows the hunt fast — it's almost always an outdated plugin or a reused password. For the security-model reasoning behind that isolation, OWASP's web security guidance is the standard reference.

If the cleanup feels endless, it's usually because a backdoor keeps re-adding the redirect. That's your signal to stop patching files and restore a clean backup instead. If your environment keeps buckling under the load while you work, an isolated setup helps — see Best VPS for WordPress in 2026: Tested and Ranked for Real Performance.

Reset Every Credential and Ask Google to Re-Check Your Site

A clean site with old credentials is a site that gets re-hacked next week. Finish the job before you tell Google the WordPress hacked redirect is gone:

• Rotate WordPress security keys. Generate fresh salts and paste them into wp-config.php — this force-logs-out every session, including the attacker's.
• Reset the database password and update it in wp-config.php.
• Recreate FTP/SFTP and hosting users where possible, and delete any extra ones you didn't create.

Then deal with Google. If your site redirected from search results, Google may have flagged it. Open Search Console, check the Security Issues report, and once you're clean, request a review through Google's hacked-site recovery process. Reviews usually take a few days — don't request one until you're certain, or you'll reset the clock. Recovery is also a good moment to confirm performance didn't suffer: Core Web Vitals Failing? Your Hosting Might Be the Problem.

How to Prevent a WordPress Hacked Redirect From Coming Back

Stopping a WordPress hacked redirect from returning is mostly about removing the ways it got in. None of this is exotic:

• Update everything, weekly. Outdated plugins and themes are the number-one entry point. The redirect you just cleaned almost certainly came through one.
• Enforce 2FA on every admin account. A stolen password becomes useless.
• Apply least privilege. Not everyone needs to be an administrator — most contributors need far less.
• Remove what you don't use. Every inactive plugin and theme is attack surface. Delete them, don't just deactivate.
• Keep automated, versioned, off-server backups. A clean daily backup is the difference between a one-click restore and a week of forensic work.
• Run on isolated hosting. Shared environments where one compromised account can reach another are how single hacks become site-wide events.

That last point is where infrastructure earns its keep. On Hostaccent's stack — Cloudflare in front, Nginx and Apache behind it, NVMe storage, and daily backups retained automatically — accounts are isolated and a clean restore point is always on hand. It doesn't make a site unhackable; it makes recovery boring, which is exactly what you want.

Two related reads worth bookmarking: Fix a Slow WordPress Site: Diagnose in 30 Minutes and, if you're outgrowing shared hosting, Best Hosting for High Traffic WordPress Sites in 2026.

Recovering Faster Next Time

Cleaning a redirect hack by hand teaches you the anatomy of WordPress security fast — but you don't want to do it twice. If your current host left you fighting this alone, with no recent clean backup and no account isolation, that's worth fixing. Hostaccent's WordPress hosting runs daily automated backups and isolated accounts on a Cloudflare-fronted Nginx/Apache stack, so a future infection becomes a single restore instead of a multi-day rebuild. Plans start at $1.99/Month. Either way: keep backups, patch fast, and you'll rarely see this page again.

Frequently Asked Questions

Why does my WordPress site redirect to spam only on mobile?

Because the attacker's code checks the visitor's user-agent and only fires the redirect for mobile devices. It's a deliberate evasion tactic — owners usually browse on desktop while logged in, so they never see it, while real mobile visitors get bounced to spam. Always test using a mobile user-agent.

How do I know if my WordPress hacked redirect is fully gone?

Re-test under the exact conditions that triggered it: incognito, a mobile user-agent, and a click from a Google search result. If none redirect after 48 hours of monitoring and a clean malware scan, your WordPress hacked redirect is gone. Keep watching for a week in case a backdoor was missed.

Can a redirect hack come back after I clean it?

Yes — and it usually means you missed a backdoor, a rogue admin user, or a malicious cron job that re-injects the code. If the redirect returns within hours, stop cleaning files and restore a known-clean backup instead, then close the entry point that let it in.

Will Google blocklist my site for a redirect hack?

It can. If Google detects the redirect, it may show a warning in search results or Chrome and flag the issue in Search Console's Security Issues report. Once you've cleaned the site, request a review through Google's hacked-site recovery tools. Approval usually takes a few days.

Do I need to reinstall WordPress to fix the redirect?

Not fully, but you should replace the core files. Download a fresh copy from WordPress.org and overwrite wp-admin, wp-includes, and the root core files. Your wp-content (themes, plugins, uploads) and database stay — though you must still clean injected code from those separately.

Does secure hosting actually reduce reinfection?

It helps in two ways. Account isolation stops an infection on a neighboring site from reaching yours, and automated daily backups give you a clean restore point. Hosts built around this — Hostaccent, for example — turn a reinfection into a quick restore rather than a fresh cleanup. It's not magic, but it removes whole categories of risk.