Support » Fixing WordPress » Random Redirects of Website

  • Aditya Agarwal

    (@adityamilyin)



    HI I am runnning wordpress on GoDaddy via CLoudflare CDN.
    My site for the past days is getting randomly redirected. The issue happens when site is loaded after few minutes of inactivity, and usually happens to posts. The issue has been seen on variety of posts, and i can confirm that if after inactivity it is loaded more than twice, it starts to show right page.

    I tried Plugin Conflict test, no results. Then i decided to delete wp-includes and wp-admin file along with header.php etc. and technically reinstall everything of wordpress other than wp-content. As soon as i did this, i deleted all themes and plugins and reinstalled, so that all corrupt files other uploads could get deleted and only relevant things come back. Then i changed database prefix for php, renamed all tables, and changed options and user meta accordingly, but that did not help. My site still gets redirected after inactivity.

    I can assure that no redirect is created from my site. And that the redirect is to some variety of external cheap sites, and everytime it is different. Also after 2-3 tries it stops to redirect till the next period of inactivity.

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Moderator t-p

    (@t-p)

    Please see the Sucuri online scan test results: https://sitecheck.sucuri.net/results/milyin.com

    Their scan results indicates Your site is blacklisted.

    If you think your site is compromised, then carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Oh thanks, but what does it actually mean… Blacklisted means?

    And i checked the report you are right how should is solve it as i said while starting the topic all mentioned steps were told, is there anything i am missing.

    What does it mean? Your site has been hacked somehow by someone.

    Work through the suggestions @t-p made earlier and get back to us if you still have troubles.

    Moderator t-p

    (@t-p)

    FYI: If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Off hand, couple of names that come to mind are Sucuri and Wordfence.

    You’ve been hacked and you’ll need to shell into your site and run a Grep search for a backdoor.

    1. Do not change any passwords or the hackers will see you change them.
    2. Find someone like me and run Grep. Most hosts will not help you or unhack your site.
    3. You may be able to revert back to a previous backup before you were hacked but hackers have your passcodes throughout already so why even do that?

    You need to clean your server first. Update plugins and then change passcodes. Close all backdoors.

    Hi, here are some other observations and actions that happened in past 24 hours.
    Before getting into them, let me tell you that my site is open for registrations so anyone can register on my site, which might be issue for the hack, infact they can publish posts at the frontend using a plugin I installed. They can’t access wp-admin, with plugins i have restricted there access to same, infact even if they access, they have no user role permissions other than publishing there own posts. I have insured that recaptcha is there over registrations and logins to prevent bots.

    is it possible they may have inserted some code using the text mode of the publisher.

    Now observations and action:
    1. in my database i found few files that did not have any table prefix behind them so i have deleted them

    2. I installed Sucuri, it asked me to add some code to htaccesss file id did it. It asked me to delete 4 files that are not part of default wordpress (1 file was from my hosting provider so left it and deleted rest 3)

    3. as someone reported above, Norton Safe suggests me blacklisted for i don’t know why. I also got to know, from Sucuri,”*Site error detected
    Security warning in the URL https://milyin.com/404javascript.js” this is not a page so like i delete pages(that i created) i can’t do that. I tried deactivate plugins does not help.

    4. The redirect happens mainly on mobile, and was first spotted at url:”https://milyin.com/creations/7630″. Also opening some other post and coming back to posts that was redirecting solves it temporarily. If i open some other post(that does not seem to redirect) like “https://milyin.com/creations/2001/” and then try to open the first one, it solves it. though this applies only one posts, it i open some page and then back on post it doesn’t help. Also it is not the post that mentioned above is only redirecting many others also do but its a example, i picked this because both the fore mentioned posts, are by my friends and they can’t put some wrong code.

    For those who would like to see the real working of my site, and see what all a person registered on my site can do, i will be creating user id: demo and pass: DELETED

    Aditya Agarwal

    (@adityamilyin)

    there is no success till now. I think this is some issue with javasript. though i am not a technical guy, but that’s my believe because Sucuri also says security warning on a java script.

    I think i need some code to prevent execution of any java script or PHP added throough frontend. By the way before as soon as i enter url it says,’The contents you are looking for have moved. You will be redirected to the new location automatically in 1 seconds.
    <p>If your browser doesn’t redirect you to the new location please click here’ and then regard less of click it gets redirected.

    Also here’s the inspect element of that very moment when above mentioned text is shown.

    [ SNIP! ]

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I’ve removed the HTML code. It doesn’t really add anything and you need to delouse your site as t-p mentioned.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Also? Please do not create accounts and ask random passerby’s access your system.

    I have redacted the information you posted about that.

    quttera

    (@quttera)

    According to the provided description, it looks like cookie-based redirection.
    Once you visit any post on this site, your web browser store this cookie and site should continue to work properly until the expiration of this cookie.

    The infection could be injected into one of the WordPress files or into a backend database.

    There is a need to perform internal (server side) scan of WordPress files as well content of WordPress post table.

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.