threatover Patrik Grobshäuser

REDIRECT MALWARE · WORDPRESS · REMOVED

WordPress redirect malware removal.

Manual removal of the redirect. I find how it got in, close it, and write you a report. Flat $279.

MECHANISM

A hijacked redirect is hard to see and easy to lose money to.

The attacker plants code in your site that sends visitors to a different website. Sometimes it's a scam, sometimes affiliate spam, sometimes worse. It usually only fires for certain visitors — mobile users, people clicking from Google, first-time IPs — which is why the site owner often doesn't see it themselves.

It can live in a PHP file, in the database, or in the server's rewrite rules. I check all three. I remove it, find out how it got in, and close that door before I hand the site back.

wp_options — redirect target probe
01 SELECT option_name, option_value
02 FROM wp_options
03 WHERE option_name IN ('siteurl', 'home');
04
05 // If either points anywhere other than your domain,
06 // the redirect has already overwritten core URLs.

What I remove

Three places. I check all three.

  • TRIAGE

    I reproduce the redirect with the same User-Agent and referrer that triggers it — no guessing.

  • FILES

    PHP loaders in theme, mu-plugins, and wp-includes — removed by diff against a clean WordPress.

  • DATABASE

    wp_options.siteurl restored; injected scripts pulled out of wp_posts; autoloaded payloads purged.

  • REWRITE RULES

    Malicious .htaccess directives stripped; protective rules added.

  • GOOGLE

    Reconsideration filed with Safe Browsing; affected URLs re-indexed via Search Console.

  • REPORT

    Plain-English forensic write-up, entry vector identified, what to change before I hand back the keys.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.