Quickly Fix WordPress Hacked Site – Secure Now!

Imagine waking up to find your WordPress site redirecting visitors to some shady website or bombarded with strange pop-ups—frustrating, right? A hacked WordPress site isn’t just a minor inconvenience; it’s a serious threat to your business, credibility, and even your search rankings. Hackers exploit vulnerabilities to inject malicious redirects, create unauthorized admin accounts, or slow your site to a crawl. If you’re wondering, “Why does my website redirect to another website?”—you’re not alone. But don’t panic! In this guide, I’ll show you exactly how to fix a WordPress hacked site, remove those sneaky WordPress redirect hacks, and lock down your website for good. Let’s get started and reclaim your site’s security today!

1. How to Identify a Hacked WordPress Site

Not sure if your WordPress site has been hacked? Sometimes, the signs are obvious—like your site suddenly redirecting to a sketchy page (hello, WordPress hacked redirect!). Other times, the clues are subtle but just as dangerous. Let’s break down the red flags so you can spot a hack early and take action fast.

1. Your Website Redirects to Another Site

One of the biggest warning signs is when your site unexpectedly sends visitors elsewhere. If you’re asking, “Why does my website redirect to another website?”—chances are, hackers have inserted malicious redirects into your files or database. These redirects can harm your SEO, credibility, and even get your site blacklisted by Google.

2. Strange or Unknown Admin Users

If you notice new admin accounts that you didn’t create, your site has been compromised. Hackers often create secret backdoor accounts to regain access even after you remove malware. Always check your WordPress user list for suspicious accounts.

3. Malicious Pop-Ups or Spammy Links

Are weird pop-ups appearing on your site? Do some pages now show spammy links? This is a clear sign of a WordPress redirect hack. Hackers inject malicious scripts that can trick your visitors into clicking on harmful links—damaging your reputation and security.

4. Unusual Website Slowdown

A sudden drop in speed or strange spikes in server usage can indicate malware. Hackers sometimes use your site for phishing scams or even crypto mining, slowing down performance and frustrating your users.

How Do Hackers Insert Redirects?

Hackers exploit vulnerabilities in outdated plugins, themes, and weak passwords to inject malicious code into files like .htaccess, wp-config.php, and even your database. These redirects can send traffic to scam sites, steal your data, and hurt your Google rankings.

If any of these signs sound familiar, don’t wait—fix your hacked WordPress site ASAP! In the next section, I’ll walk you through the exact steps to remove malicious redirects and secure your website. Let’s get to it! 🚀

2. Immediate Steps to Secure Your Hacked WordPress Site

So, your WordPress site has been hacked. Take a deep breath—you’re not alone in this. The faster you act, the better. Hackers love lingering in the shadows, waiting for another chance to mess things up. But we’re not giving them that opportunity! Here’s what you need to do right now to fix your hacked WordPress site and take back control.

1. Change All Passwords Immediately

First things first—lock the doors before the intruder sneaks back in. If hackers got in once, they might still have access. Change every password related to your site:
✅ WordPress admin
✅ Hosting (cPanel, FTP/SFTP)
✅ Database (MySQL)
✅ Any connected email accounts

Pro tip: Use a strong password with a mix of uppercase, lowercase, numbers, and special characters. Better yet, use a password manager so you don’t have to remember them all.

2. Put Your Site in Maintenance Mode

If your site is infected with malicious redirects or sketchy pop-ups, you don’t want visitors (or Google!) to see it in that state. Temporarily put your site in maintenance mode while you fix the issue.

How? If you still have WordPress access, install a simple plugin like SeedProd or WP Maintenance Mode. If you can’t log in, you can manually create a maintenance.html page and redirect all traffic there until your site is clean.

3. Scan for Malware and Malicious Redirects

Now, it’s time to hunt down the malware. Hackers love to hide their scripts in places like:

• .htaccess (a classic spot for WordPress redirect hacks) 
• wp-config.php (where critical site settings are stored) 
• Theme and plugin files (especially in functions.php) 
• Database tables (they sometimes inject spammy links) 

Use a security plugin like Wordfence, Sucuri, or MalCare to scan your site. These tools can detect hacked files, unauthorized redirects, and other suspicious code.

👉 Found something shady? If the malware scanner points to infected files, compare them with a clean WordPress installation and remove any unfamiliar code.

This is your first line of defense in fixing a hacked WordPress site. In the next section, we’ll go step by step to remove malware, restore your website, and kick the hackers out for good. Stay with me—we’re getting your site back! 🚀

3. Fix WordPress Hacked Site: Step-by-Step Guide

If your WordPress site has been hacked, don’t panic! We’re going to fix your hacked WordPress site step by step. Think of this like cleaning up after an unexpected storm—you’ll remove the mess, secure everything, and get your site running smoothly again. Let’s dive in.

1. Restore a Clean Backup (If Available)

The fastest way to fix a hacked WordPress site? Restore a clean backup. If you have a recent backup from before the hack, this can instantly erase any malware or malicious redirects.

How to Restore Your Backup:

✅ Check if your hosting provider offers automatic backups (most managed WordPress hosts like SiteGround, Kinsta, and Bluehost do). You can usually restore your site via your hosting control panel. ✅ If you use a backup plugin like UpdraftPlus, BlogVault, or Jetpack, log into WordPress and restore your latest clean backup. ✅ Can’t access WordPress? Restore your site manually via FTP or cPanel by uploading the backup files.

👉 No backup? No worries. We’ll manually clean your site in the next step.

2. Manually Clean Malicious Code

If you don’t have a backup or prefer a hands-on approach, you’ll need to manually remove the malware. Hackers often insert malicious redirects into key WordPress files. Here’s where to check:

Key Files to Inspect for Malware:

• .htaccess – This file controls redirects. Hackers love to add hidden malicious redirects here. 
• wp-config.php – Your WordPress settings file. Hackers sometimes inject malicious scripts. 
• Theme and Plugin Files – Check functions.php, header.php, and footer.php. 
• Database – Some hacks inject spammy links into database tables. 

How to Remove Malicious Redirects:

✅ Use a security scanner like Wordfence, Sucuri, or MalCare to detect infected files. ✅ Manually check .htaccess and wp-config.php for unfamiliar code. If you see strange redirects, delete them. ✅ Scan your database using phpMyAdmin. Look for suspicious entries in the wp_posts and wp_options tables. ✅ Reinstall affected plugins and themes from the official WordPress repository.

🚨 Warning: If you’re not comfortable editing core files, back up your site before making changes!

3. Reinstall WordPress Core Files

Sometimes, the safest way to fix a hacked WordPress site is to replace the core WordPress files. This removes hidden backdoors and ensures your site is running clean code.

Steps to Reinstall WordPress Without Losing Content:

1. Download a fresh copy of WordPress from WordPress.org. 
2. Extract and upload only the wp-admin and wp-includes folders via FTP (this won’t affect your themes, plugins, or uploads). 
3. Replace any infected files in the root directory, like index.php. 
4. Log into your site and re-save permalinks under Settings > Permalinks to reset any hacked redirects. 

4. Remove Unknown Users and Reset Permissions

Hackers often create hidden admin accounts to maintain access. If you see strange new users, remove them immediately.

How to Remove Unauthorized Admin Accounts:

✅ Go to WordPress Dashboard > Users and look for unfamiliar administrators. ✅ If you find one, delete it and reassign its posts to your real admin account. ✅ Change your admin username if it’s still “admin” (hackers target default usernames). ✅ Reset user roles and permissions to prevent unauthorized access.

🚀 You’re on your way to reclaiming your hacked WordPress site!

In the next section, we’ll tackle fixing WordPress redirect hacks and securing your site against future attacks. Stay tuned—we’re locking hackers out for good!

4. Fixing WordPress Redirect Hack

Imagine this: You open your website, expecting to see your homepage, but instead—bam!—you’re redirected to some sketchy online casino or a site selling knockoff sneakers. Frustrating, right? That’s the classic WordPress redirect hack, and it’s one of the most common ways hackers mess with your site.

But don’t worry! I’m going to walk you through exactly how to fix a WordPress hacked redirect issue and make sure your site stays secure moving forward. Let’s dive in!

Understanding Redirect Hacks

So, why does your website redirect to another website? The short answer: Hackers exploit vulnerabilities in your site—like outdated plugins, weak passwords, or poorly coded themes—to inject malicious code that forces visitors to another site.

Here’s how they do it:

• Modifying Core Files: They sneak malicious redirect scripts into files like .htaccess, wp-config.php, and functions.php. 
• Tampering with Plugins/Themes: Some free or outdated plugins/themes might contain vulnerabilities hackers can exploit. 
• Injecting Malicious Database Entries: Redirect hacks often hide in your WordPress database, making them tricky to find. 
• Adding Hidden JavaScript Code: Some hacks use JavaScript to secretly send users elsewhere without obvious changes to your site’s code. 

These redirects not only hurt your SEO (Google may blacklist your site!) but also damage trust with your visitors. That’s why fixing a hacked WordPress site quickly is crucial.

How to Fix the WordPress Hacked Redirect Issue

1. Remove Hidden Redirects from Theme and Plugin Files

Hackers love to hide redirect scripts inside theme and plugin files. Here’s how you can manually find and remove them:

1. Check .htaccess File: 
   • Go to your website’s root folder via FTP or File Manager. 
   • Open .htaccess and look for suspicious code like RewriteRule or Redirect 301 pointing to unknown URLs. 
   • If you find anything shady, delete it and save the file. 
   • Reset .htaccess by going to WordPress Dashboard → Settings → Permalinks and clicking Save Changes. 
2. Inspect wp-config.php and functions.php: 
   • Open these files and search for unfamiliar base64_decode or eval() functions—hackers use these to obfuscate malicious code. 
   • Remove any sketchy code and save the file. 
3. Check Installed Plugins & Themes: 
   • Delete any inactive or suspicious plugins and themes. 
   • If you suspect a plugin is infected, replace it with a fresh download from the official WordPress repository. 

2. Scan and Clean Database Entries with Malicious Redirects

Some redirect hacks don’t live in your files—they hide inside your database. Here’s how to remove them:

1. Use phpMyAdmin: 
   • Log into your hosting account and navigate to phpMyAdmin. 
   • Select your WordPress database. 
   • Click Search and look for terms like eval, base64_decode, or suspicious URLs. 
   • If you find malicious entries, delete them carefully (backup your database first!). 
2. Use a Security Plugin: 
   • Install Wordfence, Sucuri, or MalCare. 
   • Run a full scan to detect hacked database entries and remove them. 

Redirect in WordPress Without Plugin

If you need to set up a safe redirect (like forwarding users to a new page), it’s best to do it without plugins to avoid security risks.

1. Using .htaccess for Redirects: 
   • Open .htaccess in your site’s root folder. 

Add this code at the bottom (replace URLs with your own):

Redirect 301 /old-page https://yourwebsite.com/new-page

• Save the file and test your redirect. 

1. Redirect in WordPress Using functions.php: 
   • Open your theme’s functions.php file. 

Add this snippet:

function my_custom_redirect() {

    if (is_page(‘old-page’)) {

        wp_redirect(‘https://yourwebsite.com/new-page’, 301);

        exit();

    }

}

add_action(‘template_redirect’, ‘my_custom_redirect’);

• This will safely redirect visitors without relying on a plugin. 

WordPress Redirect to Another Page Programmatically

Sometimes, you need to redirect users dynamically—maybe after form submission or login. Here’s how to do it programmatically:

Redirect Users After Login:

function redirect_after_login($redirect_to, $request, $user) {

    return home_url(‘/dashboard’); // Change to your desired URL

}

add_filter(‘login_redirect’, ‘redirect_after_login’, 10, 3);

Redirect Users After Form Submission:

if ($_SERVER[‘REQUEST_METHOD’] == ‘POST’) {

    wp_redirect(‘https://yourwebsite.com/thank-you’);

    exit();

}

Final Thoughts: Locking Hackers Out for Good

Fixing a hacked WordPress site is stressful, but staying proactive is the key to preventing future attacks. Here’s what you should do next:

✅ Keep WordPress, plugins, and themes updated. Outdated software = easy target for hackers.
✅ Use a security plugin like Wordfence or Sucuri to monitor your site in real-time.
✅ Limit login attempts & enable 2FA (two-factor authentication) for extra security.
✅ Back up your website regularly—so even if something goes wrong, you can restore it instantly.

By following these steps, you’ll not only fix your WordPress hacked site but also prevent future attacks like the WordPress redirect hack. Your site’s security is in your hands—stay vigilant, stay updated, and keep hackers out for good! 🚀

5. Using a Redirection Plugin for WordPress Security

Ever clicked on a link expecting to land on a familiar page, but instead, you found yourself on some random site selling knockoff sunglasses? Annoying, right? That’s exactly how your visitors feel when hackers inject malicious redirects into your site. But don’t worry—we can stop them in their tracks with a solid redirection plugin. Let’s dive into the best options and how to use them like a pro!

Best Redirect Plugin for WordPress Security

There are tons of redirect plugins out there, but not all are built with security in mind. Here are my top picks to keep your site safe and running smoothly:

✅ Redirection – The OG of redirect plugins. Super easy to use, logs 404 errors, and even lets you set up conditional redirects. Bonus: It’s free!

✅ Safe Redirect Manager – Lightweight and perfect if you need a simple way to manage redirects without bloating your site.

✅ 301 Redirects – Easy Redirect Manager – Great for fixing broken links and preventing redirect hacks, especially if you’ve recently changed URLs.

✅ Yoast SEO (Premium) – If you’re already using Yoast SEO, the premium version includes a handy redirect manager to handle everything in one place.

Using any of these will help you take control of your site’s redirects and stop sneaky hackers from messing things up. Now, let’s talk about how to set up safe redirects the right way.

How to Use a Redirection Plugin in WordPress

Setting up redirects sounds techy, but trust me—it’s easier than making a cup of coffee. Here’s how to do it step by step:

Step 1: Install and Activate the Plugin

Head over to your WordPress dashboard, go to Plugins > Add New, search for Redirection, and click Install Now > Activate. Boom! You’re in business.

Step 2: Set Up a Secure Redirect

1. Navigate to Tools > Redirection in your WordPress dashboard. 
2. Click the Add New Redirect button. 
3. In the Source URL field, enter the old URL (the one you want to redirect FROM). 
4. In the Target URL field, enter the new URL (the one you want visitors to land ON). 
5. Under Group, select “Redirections” (or create a custom group if you’re feeling fancy). 
6. Hit Add Redirect, and you’re done! 🎉 

Step 3: Test Your Redirect

Copy your old URL, paste it into your browser, and hit enter. If it smoothly takes you to the new page—congrats, you did it right!

Pro Tips for Secure Redirects

✅ Use 301 Redirects for Permanent Changes – This tells search engines, “Hey, this page moved forever,” so they pass the SEO juice to your new page.

✅ Monitor 404 Errors – Hackers love exploiting broken links. Redirection plugins help you track and fix them fast.

✅ Avoid Redirect Chains – Don’t send visitors from Page A → Page B → Page C. It slows down your site and frustrates users. Keep it direct.

✅ Regularly Check for Malicious Redirects – Even if you have a redirect plugin, hackers might sneak in shady redirects via .htaccess or database injections. Use a security scanner like Wordfence or Sucuri to stay ahead.

Final Thoughts

Redirect plugins aren’t just about convenience—they’re a security must-have. By properly managing your redirects, you can prevent hacker exploits, fix broken links, and keep your visitors (and Google!) happy. So, go ahead, install a solid redirect plugin, and take control of your WordPress site’s security today!

🚀 Next up: How to prevent future WordPress hacks and lock down your site for good!

6. Prevent Future WordPress Hacks

Keeping your website safe is important. Hackers target outdated sites. Follow these steps to improve security and protect your site.

Keep WordPress Updated

Updates fix security holes. Always update WordPress, themes, and plugins. Set automatic updates if possible. Outdated software makes hacking easier. Stay ahead by keeping everything current.

Use a Security Plugin

A good security plugin blocks threats. Wordfence and Sucuri offer firewalls and malware scans. They also send alerts for suspicious activity. Install one and set it up properly.

Choose Secure Hosting

Your hosting provider affects security. Pick a host with firewalls, backups, and malware protection. A strong host reduces hacking risks. Check reviews before choosing a plan.

Backup Your Website Regularly

Backups help recover lost data. Use tools like UpdraftPlus or Jetpack Backup. Automate backups to avoid forgetting. Store copies in different locations. A backup can save your site.

Limit Logins and Enable 2FA

Too many login attempts can mean an attack. Limit retries to block hackers. Enable Two-Factor Authentication (2FA) for extra protection. Plugins like Google Authenticator make it easy.

By following these steps, you can reduce risks and keep your site safe. Small actions make a big difference in WordPress security.

Related Article you may like: 

1. How Do You Backup a WordPress Site (Easy & Secure!)
2. Who Owns WordPress: The Facts You Need to Know
3. how to find out wordpress version Instantly (4 Easy Steps)

Conclusion: Stay One Step Ahead of Hackers

If you’ve made it this far, congratulations! You now have a clear roadmap to fix a hacked WordPress site and prevent it from happening again. I know—dealing with a hacked site feels like waking up to find your house turned upside down. It’s frustrating, overwhelming, and just plain exhausting. But here’s the good news: you’re not powerless.

Let’s quickly recap what you need to do when your WordPress site is hacked:

• Identify the hack: Look for suspicious redirects, malware warnings, or unauthorized changes. 
• Secure your access: Reset all passwords, enable two-factor authentication, and check user roles. 
• Clean the mess: Remove malware, scan your files, and fix malicious WordPress redirects. 
• Strengthen security: Update everything, use a firewall, and block shady login attempts. 
• Monitor and prevent: Regularly scan for threats, back up your site, and invest in trusted WordPress security tools. 

Why Prevention is the Best Fix

I can’t stress this enough—prevention is way easier than recovery. Just like you wouldn’t leave your front door unlocked at night, don’t leave your website open to hackers. A few proactive steps can save you countless hours (and headaches) in the future:

• Install a WordPress security plugin like Wordfence or Sucuri. 
• Regularly update your themes, plugins, and core WordPress files. 
• Set up proper redirects in WordPress to avoid vulnerabilities. 
• Use strong, unique passwords and avoid using “admin” as your username. 

Recommended Resources for WordPress Security

If you’re serious about keeping your website safe, these resources are your best friends:

• WordFence (www.wordfence.com) – A powerful security plugin that actively blocks threats. 
• Sucuri (sucuri.net) – Great for malware scanning and firewall protection. 
• Redirection Plugin (wordpress.org/plugins/redirection) – Helps manage redirects in WordPress without a plugin. 
• Google Search Console – Alerts you if Google detects malware on your site. 

Final Thoughts

At the end of the day, securing your site is like brushing your teeth—you don’t wait until there’s a problem to start. Take action now to protect your hard work! If you ever find yourself facing a WordPress redirect hack or wondering, “Why does my website redirect to another website?”, you’ll know exactly how to tackle it.

And hey, if this guide helped you, pass it along! Let’s help more website owners keep their sites safe. If you’ve got questions or need help, drop a comment—I’m always happy to chat!

Stay safe, and happy WordPress-ing! 🚀

1. What are the signs of a hacked WordPress site?
   A hacked WordPress site may redirect visitors, have unknown admin users, show spammy links, or slow down unexpectedly. These are signs of a security breach that requires immediate attention.
2. How do hackers insert redirects in WordPress?
   Hackers exploit outdated plugins, themes, and weak passwords to insert malicious redirects into files like .htaccess, wp-config.php, and the WordPress database.
3. How can I secure my WordPress site after it’s hacked?
   Change all passwords, put your site in maintenance mode, and use a security plugin like Wordfence to scan for malware. These steps help secure your site quickly.
4. How can I remove malicious redirects from WordPress?
   To remove redirects, check files like .htaccess and wp-config.php for malicious code. You can also use security plugins or manually scan the database for infected entries.
5. What should I do if I don’t have a backup for my hacked WordPress site?
   If you don’t have a backup, manually remove malware from key files, reinstall WordPress core files, and restore clean files from the official WordPress repository.
6. How can I prevent future WordPress hacks?
   To prevent future hacks, regularly update WordPress, use strong passwords, enable two-factor authentication (2FA), and install a security plugin like Wordfence.
7. How do I know if my WordPress site is redirecting to a malicious site?
   If your WordPress site is redirecting to another site, it’s likely a sign of a redirect hack. Check your site’s files and database for suspicious code or unknown entries.
8. What is the best redirection plugin for WordPress security?
   Redirection, Safe Redirect Manager, and 301 Redirects are great plugins for managing redirects securely. These tools help prevent malicious redirects and ensure proper site navigation.
9. How do I fix a WordPress site that redirects to another page?
   Check your .htaccess, wp-config.php, and theme files for suspicious code. Remove any harmful redirects and reset your permalinks to fix the issue.
10. How can I restore my WordPress site if it’s hacked?
    If you have a backup, restore it immediately. If not, manually clean your site’s files, reinstall WordPress core files, and remove any unauthorized admin accounts.
11. Why does my WordPress website redirect to another website?
    Your WordPress website may redirect due to malicious code injected by hackers. These redirects can harm SEO, credibility, and site performance.
12. What should I do if hackers create new admin accounts on my WordPress site?
    Remove any unknown admin users immediately and reset your admin password. Ensure that only trusted users have admin privileges on your site.
13. How can I fix my WordPress site without a backup?
    If you don’t have a backup, manually clean your WordPress files by removing infected code from .htaccess, wp-config.php, and plugins, then reinstall WordPress.
14. How can I avoid WordPress redirect hacks?
    Keep WordPress, themes, and plugins updated, use strong passwords, and install a security plugin. These steps will help protect your site from redirect hacks.
15. How do I manually fix a hacked WordPress site?
    To manually fix a hacked site, remove malicious code from your files, reinstall WordPress core files, and check your database for infected entries or redirects.