Why does the redirect only show on mobile or from Google?

The redirect checks who is visiting before it fires. It usually reads the User-Agent and the referrer, and only triggers when the visitor looks like a search-engine click on a phone. Direct visits, repeat visitors, and logged-in admins are excluded, which is why the site owner often does not see it.

I changed my admin password. Why is the redirect still happening?

The redirect lives inside the site itself, not in your login. Until the code in PHP, the database, or .htaccess is removed, visitors will keep being routed wherever the attacker decided.

Will Google trust my site again after the redirect is removed?

Yes. We submit a Safe Browsing reconsideration as part of every cleanup and request re-indexation in Search Console. Most sites are out of the warning interstitial within a few days.

How did this happen in the first place?

Almost always a vulnerable plugin or a leaked admin/FTP credential. We identify the exact path and close it before handing the site back.

// REDIRECT MALWARE · WORDPRESS · REMOVED

WordPress redirect malware removal.

Manual removal of the redirect. I find how it got in, close it, and write you a report. Flat $279.

Start a cleanup → How redirect hacks work

§ 01 — MECHANISM

A hijacked redirect is hard to see and easy to lose money to.

The attacker plants code in your site that sends visitors to a different website. Sometimes it's a scam, sometimes affiliate spam, sometimes worse. It usually only fires for certain visitors — mobile users, people clicking from Google, first-time IPs — which is why the site owner often doesn't see it themselves.

It can live in a PHP file, in the database, or in the server's rewrite rules. I check all three. I remove it, find out how it got in, and close that door before I hand the site back.

// wp_options — redirect target probe

01 SELECT option_name, option_value
02 FROM wp_options
03 WHERE option_name IN ('siteurl', 'home');
04
05 // If either points anywhere other than your domain,
06 // the redirect has already overwritten core URLs.

§ 02 — WHAT WE REMOVE

Three places. I check all three.

[ TRIAGE ]

I reproduce the redirect with the same User-Agent and referrer that triggers it — no guessing.
[ FILES ]

PHP loaders in theme, mu-plugins, and wp-includes — removed by diff against a clean WordPress.
[ DATABASE ]

wp_options.siteurl restored; injected scripts pulled out of wp_posts; autoloaded payloads purged.
[ REWRITE RULES ]

Malicious .htaccess directives stripped; protective rules added.
[ GOOGLE ]

Reconsideration filed with Safe Browsing; affected URLs re-indexed via Search Console.
[ REPORT ]

Plain-English forensic write-up, entry vector identified, what to change before I hand back the keys.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Start an engagement.

Send the scope, stack, and timeline. You get a written proposal with a fixed quote.

Contact →