Fix: WordPress Redirects to Spam Site on Mobile Only (Solved)

Published on 12/6/2025
MD Pabel
Read with ChatGPT

Is your WordPress site working perfectly on desktop but redirecting to spam, gambling, or “You Won an iPhone” scams when visited on a phone?

This is a specific type of malware known as a Conditional Mobile Redirect. It is designed to trick site owners because the hacker knows you likely update and check your site from a computer, not your phone.

This guide will explain why this happens and providing a step-by-step fix to remove the malicious code.

Quick Summary (Key Takeaways)

  • The Symptom: Site redirects to spam URLs only on mobile devices (iOS/Android).

  • The Cause: Malicious code checking the “User-Agent” to identify mobile visitors.

  • Most Common Hiding Spots: The .htaccess file, wp-header.php, or a rogue plugin.

  • First Step: Clear your mobile browser cache to ensure the redirect isn’t just “stuck” in your history.

Why Is This Happening?

Hackers inject a script into your WordPress files that checks the visitor’s User-Agent.

  • If User-Agent = Desktop: The site loads normally (so you don’t notice).

  • If User-Agent = Mobile: The script triggers a JavaScript window.location redirect to a spam network.

Because this is a “smart” hack, standard malware scanners sometimes miss it if they scan from a desktop server simulation.

Step-by-Step Removal Guide

⚠️ Prerequisite: Before touching any files, backup your website immediately using your hosting panel or a plugin like UpdraftPlus.

1. Check Your .htaccess File (Most Common Culprit)

The .htaccess file controls how your server handles requests. Hackers love to hide redirect rules here because it processes before the site even loads.

  1. Log in to your Hosting File Manager (cPanel) or use an FTP client (like FileZilla).

  2. Locate the .htaccess file in your root directory (usually public_html).

  3. Edit the file and look for suspicious code blocks mentioning HTTP_USER_AGENT, android, iphone, or redirect.

  4. The Fix: If you see strange code outside of the standard # BEGIN WordPress tags, delete it. A clean, standard WordPress .htaccess file looks like this:

Apache
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

2. Inspect header.php and footer.php

If the redirect is JavaScript-based, it is likely injected into your theme’s header or footer files.

  1. Navigate to /wp-content/themes/your-current-theme/.

  2. Open header.php.

  3. Look for <script> tags that look like random jumbles of letters and numbers (obfuscated code) or reference external domains (e.g., jquery-min.com or other lookalikes).

  4. The Fix: Remove the suspicious script lines.

3. Check for “Ghost” Plugins

Sometimes hackers install a plugin that doesn’t show up in your WordPress Dashboard.

  1. Using your File Manager/FTP, go to /wp-content/plugins/.

  2. Sort the folders by “Last Modified”.

  3. Look for any plugin folder modified recently that you did not update yourself.

  4. Look for generic names like cms-core, wp-security-patch, or plugin-update.

  5. The Fix: Delete the suspicious folder entirely.

4. Scan the Database for JavaScript Injection

Sometimes the redirect code is injected directly into your database posts or widgets.

  1. Install a plugin called “Better Search Replace”.

  2. Search for common malicious snippets like base64_decode, eval(, or specific spam URLs if you know them.

  3. Note: Be extremely careful editing the database. If you aren’t sure, skip this step or hire a professional.

5. Clear Caches (Crucial Final Step)

After removing the code, the redirect might still happen because your caching plugin or CDN (like Cloudflare) has saved the “hacked” version of the page.

  1. Purge All Caches in your caching plugin (WP Rocket, W3 Total Cache, etc.).

  2. Clear Cloudflare Cache if you use it.

  3. Test on a Private Tab: Open an Incognito/Private window on your phone (using 4G, not WiFi) to test if the redirect is gone.

How to Prevent Reinfection

Cleaning the hack is only half the battle. If you don’t plug the hole, they will get back in.

  • Update Everything: Ensure WordPress core, themes, and plugins are on the latest versions.

  • Change Passwords: Reset your WP Admin, Database, and FTP passwords immediately.

  • Install a Firewall: Use a security plugin like Wordfence or Sucuri to block future attacks.

Frequently Asked Questions (FAQ)

Q: Why does the redirect only happen on my phone?

A: Hackers use “User-Agent Sniffing” to hide the malware from site owners (who use desktops) and desktop-based malware scanners.

Q: Can I fix this without coding knowledge?

A: You can try installing the Wordfence or MalCare plugin to scan and auto-clean the files. However, deep redirects in the database sometimes require manual removal.

Q: Will this hurt my SEO?

A: Yes. If Google detects the mobile redirect, they will blacklist your site or display a “This site may be hacked” warning. You must fix it immediately to preserve your rankings.

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)