Code on a dark screen, a sign of a hacked WordPress site

BlogSecurity

Security

Why Is My WordPress Site Redirecting to Spam?

Updated May 2026 · By Sitios SV · 7 min read

If you visit your own website and suddenly land on a pharmacy, casino, or scam page, you have a spam redirect hack. It is one of the most common and most damaging WordPress infections, because it hijacks the visitors and the search reputation you worked to build. Here is exactly why it happens and how to fix it.

Contents

What a Spam Redirect Hack Is

A redirect hack is malicious code added to your site that sends visitors somewhere you did not intend. The redirect is often conditional: it may only trigger for visitors arriving from Google, only on mobile, or only for people who are not logged in. That is why a site can look fine to you while sending every real visitor to spam.

How It Gets In

Attackers exploit a weak point, almost always an outdated plugin or theme or a weak admin password, then inject code into one or more places:

  • Theme files such as functions.php or header.php
  • Core files like wp-config.php or index.php
  • The .htaccess file
  • The database, usually wp_options or wp_posts
  • Fake plugins dropped into the plugins folder

Because the code can hide in several spots at once, removing it from one file is rarely enough.

How to Confirm It

Test in a private or incognito window, and click through from a Google search result rather than typing the address. Check on both desktop and mobile. If the redirect appears for visitors but not when you are logged in, that is a strong sign of a conditional redirect. A malware scan of files and database will confirm it.

How to Fix It

A reliable cleanup follows the same steps every time:

  • Take a full backup of files and database before touching anything
  • Scan files and the database to locate every injected piece
  • Remove the malicious code and any fake plugins or admin users
  • Clean infected rows in wp_options and wp_posts
  • Update WordPress core, themes, and plugins, and rotate all passwords
  • Install a firewall and monitoring so it cannot return through the same hole

If any of that is beyond what you want to take on, our Hacked Site Rescue does the whole process for a flat fee, and you only pay once the site is clean.

How to Stop It Coming Back

Redirect hacks return when the entry point is left open. Keep everything updated, enforce strong passwords and two-factor login, remove unused plugins, and run monitoring. An ongoing care plan handles all of this so a one-time cleanup stays clean. For the bigger picture, see our WordPress security guide.

Where the Malicious Code Usually Hides

Redirect hacks rarely live in just one file, which is why a surface cleanup almost always fails. The same hack will quietly reinfect through whatever spot you missed. These are the places we check first, in roughly this order:

  • wp-config.php. Attackers append a small PHP snippet near the top so it runs on every page load. It is often obfuscated with base64 or hex encoding.
  • functions.php in the active theme. Easy to edit, runs on every request, and easy to hide inside a long file. Always check the child theme if you have one.
  • .htaccess at the document root and inside wp-content/uploads. Used to redirect specific paths, block search-engine bots, or send mobile users only to spam.
  • index.php in WordPress core. Sometimes overwritten entirely with a malicious version. A diff against a fresh WordPress download flags this fast.
  • Database rows in wp_options (often siteurl, home, or custom option names) and wp_posts rows containing injected JavaScript.
  • Fake plugins dropped into wp-content/plugins/ with innocuous names like wp-cache.php or social.php that never appeared in the plugins admin.

Checking just one or two of these spots is the most common reason the redirect returns within hours. A real cleanup covers all of them, then closes the entry point that let the attacker in.

How to Tell a Hack From Other Causes

Not every weird redirect is a hack. Before you start tearing into your site, rule out the simpler causes, because the fix is very different:

  • A browser extension or local malware on your own device. Test from a private window with extensions disabled, then from a different device on a different network. If only your machine sees the redirect, it is your machine.
  • A DNS hijack at your registrar. Open your DNS panel and check your domain’s nameservers. If they point somewhere you do not recognize, your registrar account is the breach, not WordPress. Lock the registrar and rotate that password before touching anything else.
  • A misbehaving ad network or third-party script. Pages with embedded ad scripts can redirect visitors based on country, device, or time of day. Pause the network and retest before assuming WordPress is compromised.
  • A recent theme or plugin update bug. If the redirect started immediately after an update, deactivate the suspect plugin (with a backup first) to confirm. Real exploits do not usually appear the day of a legitimate update.

If those are all clean and the redirect persists, especially when arriving from Google or on mobile, you are almost certainly looking at a real WordPress infection and the cleanup steps above apply.

Other Warning Signs of a Redirect Hack

A spam redirect rarely shows up alone. By the time visitors are being sent to pharmacy or casino sites, the attacker has usually planted several other things you may notice:

  • A "This site may be hacked" warning in Google search results, sometimes before the redirects start. Our guide on a Google-flagged WordPress site covers what to do next.
  • Mysterious pages or posts in another language showing up in Google for queries you never targeted (casino, pharma, replica goods, gambling). They may not appear in your WordPress admin at all.
  • New administrator users you did not create, often with no email address or an obviously fake one.
  • Your host or security plugin pinging you about file changes, malicious scripts, or outbound spam from your account. These automated alerts are usually the first official warning and should never be ignored.

If you see two or more of these alongside the redirect, treat it as a confirmed hack and start the cleanup, or bring in a professional. We cover the full diagnostic in 7 signs your WordPress site is hacked.

Frequently Asked Questions

Why does my site only redirect from Google or on mobile?

Attackers make the redirect conditional so it is harder for the owner to notice. It can target visitors from search engines, mobile devices, or logged-out users specifically.

Is a spam redirect dangerous to my visitors?

Yes. It sends them to scam and malware pages and destroys their trust in your brand. Google may also blacklist the site to protect users.

Can I fix a redirect hack myself?

If you are comfortable editing core files and the database and finding every injection point, yes. Most owners prefer a professional cleanup because missing one hidden file lets the hack return.

How long does it take to clean?

Most redirect infections are cleaned within 24 hours, or the same day with priority service.

Keep Reading

7 Signs Your WordPress Site Is HackedRead the guide →
Google Flagged My WordPress Site, Now What?Read the guide →
Written by Sitios SV

A bilingual managed WordPress team handling care, security, and hosting for businesses across the US. We have recovered 25+ hacked sites and keep dozens online every day, in English and Spanish.

Site redirecting to spam right now?

We find every injection point, clean it, and lock the site down. Pay only after it is fixed.

Get Hacked-Site Rescue

Similar Posts