While we are often contacted to deal with cleaning up hacked WordPress websites, we also often run across hacked WordPress websites when we are contacted about doing other work. We mentioned a recent instance where a WordPress website that was running slowly was hacked. In another instance, while checking on a website to see what software it was running, we got redirected to another website. What was going on? The website was hacked, but determining that isn’t always easy from the outside, as the redirects can happen intermittently and you don’t necessarily have any other way of spotting the hack from the outside.
While some redirects occur because of JavaScript code being loaded by a web page, so you can see the code even if it doesn’t cause a redirect in a particular instance, others occur before the web page loads. When the redirect occurs can vary. In this particular situation, the redirect had happened for us when we directly accessed the website, but didn’t happen the second time. The results of a tool we have to check if website are redirecting from Google showed the same pattern. Here was the result of that the first time we requested the page:
The details of that are not going to mean much to those not familiar with HTTP headers, but what is going on is that when requesting the page from Google the request was being temporarily redirected (a 302 redirect) to Location: https://ootooghangoh.shop/?u=k8pp605&o=c9ewtnr&t=ggdown.
A temporary redirect just means that web browser (and other systems) shouldn’t store the redirect and automatically redirect the next time.
When running the same request again, the redirect didn’t happen again:
In both cases, trying again few hours later, the redirect again occurred with the first attempt, but not on subsequent requests.
In other situations, the redirect might only in other situations, including only requests from mobile devices.
Just to make it a bit harder to determine what is going on, it is also possible that there is malware on someone’s computer that is causing a redirect.
If you are unsure of if your WordPress website is hacked, please contact us to get a second opinion on your belief that it might be hacked.