Problem:
When you visit your WordPress website you are randomly redirected to unwanted websites.
Solution:
- Log in your website as an Administrator.
- Go to Appearance >> Theme Editor.
- Click on the Theme Functions link on the right side.
- Verify if malicious code was injected into the functions.php file.
Example of malicious code:
<?php @ini_set('display_errors', '0'); error_reporting(0); global $zeeta; if (!$npDcheckClassBgp && !isset($zeeta)) {
- If yes, then download the functions.php file to your machine via FTP, remove the malicious code, then upload it to your server.
- If you have several themes in your website then activate them one by one and repeat the procedure for all of them.
- Open the wp-config.php file.
- Verify if malicious code was injected into the wp-config.php file.
Example of malicious code:
include_once(ABSPATH . WPINC . '/header.php');
- If yes, then verify content of the wp-includes/header.php file, and possibly remove the wp-includes/header.php file, then remove the malicious code in the wp-config.php file.
- Copy a small string of malicious code, for example npDcheckClassBgp, and search for it in the content of all the files using the commands (in Windows) below.
cd C:\inetpub\wwwroot findstr /s "npDcheckClassBgp" *.*
where C:\inetpub\wwwroot is the path of the parent of your WordPress website.
- If you find the string in any file then review the content of the file and remove the malicious code.
- In Windows, stop the website using the command below.
net stop w3svc
- Delete all the files and folders except the wp-content folder, the wp-config.php, .htaccess, and web.config file.
- Review and remove all the suspicious contents in your wp-content directory.
- Go to the wp-content\plugins folder.
- Delete all the plugins, especially the plugins closed due to Guideline Violation.
- Manually re-download and unzip all the necessary plugins.
- Download the latest version of WordPress.
- Unzip and copy the the latest version of WordPress to the root of your website.
- In Windows, start the website using the command below.
net start w3svc
- Log in your website as an Administrator.
- Remove all the unused plug-ins or themes.
- Install, activate and configure a CAPTCHA plug-in to protect Login Form, Registration Form, Lost Password Form, Reset Password Form and Comment Form if there is no one.
- Disable insecure FTP access if there is one.
- Install and activate the Simple History plugin to review access to your website. After 1 or 2 days, review the access information, and possibly block the malicious IP addresses using the Windows Firewall.
- Install, activate and configure Cerber Security plug-in to automatically detect and block the malicious IP addresses.