How to Fix WordPress Redirect Malware: The “Akmcdnrepo” JavaScript Hack Explained

Published on 12/9/2025
MD Pabel
Read with ChatGPT

Is your WordPress site randomly redirecting visitors to spammy websites, betting platforms, or phishing pages, yet everything looks perfectly normal when you are logged in as an administrator?

You are likely the victim of WordPress redirect malware.

This is one of the most common and frustrating types of WordPress hacks. Attackers compromise your site to siphon off your hard-earned traffic and send it to malicious third-party domains. What makes modern variants particularly devious is their ability to evade standard security plugins.

In this guide, we will analyze a specific, sophisticated strain of JavaScript redirect malware involving the domain akmcdnrepo[.]com. We will share a real-world case study where popular server-side scanners failed to detect the issue, deconstruct and decode the malware to show you exactly how these WordPress redirect hacks work, and explain how to properly find and clean them.

What Causes WordPress Redirect Malware?

A malicious redirect on WordPress isn’t a random event. It’s the result of a successful cyberattack. Understanding the root cause is crucial for both cleanup and future prevention. The most common causes include:

  • Outdated Plugins & Themes: This is the #1 cause of hacked sites. Attackers constantly scan the web for sites running plugins with known vulnerabilities and exploit plugin vulnerabilities to gain access.
  • Nulled (Pirated) Themes & Plugins: Using “free” versions of premium software is a massive risk. Nulled themes almost always contain pre-installed backdoors and nulled theme malware waiting to be activated.
  • Compromised Admin Passwords: Weak passwords make your site an easy target for wp-admin brute force attacks, where bots guess thousands of passwords until they get in.
  • Insecure Hosting Environment: Cheap hosting with poor server-side security, outdated PHP versions, or unprotected file permissions can leave your site vulnerable.

How Attackers Inject Redirect Malware (Attack Vectors)

Once an attacker identifies a weakness, how do they actually get the malicious redirect script onto your site? They use specific attack vectors:

  • Plugin Vulnerability Exploit: An attacker sends a specially crafted request to a vulnerable plugin, tricking it into uploading a malicious file or modifying an existing one.
  • Brute Force Attacks: Automated bots hammer your login page (wp-login.php) or try to guess passwords via XML-RPC until they crack an account with file editing permissions.
  • File Upload Vulnerabilities: A flaw in a contact form or other upload feature allows an attacker to upload a PHP script (a “backdoor”) instead of an image, giving them full control.
  • SQL Injection: Hackers insert malicious SQL statements into database queries, allowing them to modify site content directly within the database, such as injecting a redirect script into post content or options.

Symptoms of a WordPress Redirect Hack

How do you know if your site is infected with a malicious redirect? The symptoms are often designed to be subtle to the site owner but obvious to visitors.

Common signs of a WordPress spam redirect hack include:

  • Visitors complain about redirects: Users report clicking a link on your site and landing on a completely different, often shady, URL.
  • It doesn’t happen to admins: You cannot replicate the issue because the malware is coded to ignore logged-in administrators to avoid detection.
  • Google warnings: You see “Deceptive Site Ahead” warnings in Chrome or alerts in Google Search Console regarding hacked content.
  • Strange JavaScript in source code: You notice obfuscated or encoded script tags in your page source that you didn’t add.

Case Study: The Stealthy Akmcdnrepo JavaScript Malware

Let’s examine a real-world example of this JavaScript redirect malware. In a recent cleanup, a site owner was experiencing redirects, but their security plugin, Wordfence, was not able to find it during standard scans.

Because this malware lives primarily in JavaScript files that execute in the *visitor’s browser* (client-side), server-side scanners sometimes miss it if they aren’t specifically looking for these code patterns within .js files.

How It Was Discovered

While internal scans came up clean, an external scan using sitecheck.sucuri.net was able to detect it, flagging a single JavaScript file as malicious. This external perspective is crucial because it mimics what a real visitor (or Googlebot) experiences.

However, the single file flagged by Sucuri was just the tip of the iceberg. Upon downloading the entire site’s file structure and opening it in a code editor like VS Code, a global search for the malware’s code signature revealed the uncomfortable truth: many files were infected, not just the one.

The malware had appended itself to numerous legitimate JavaScript libraries across the site’s directories, ensuring that even if one file was cleaned, others would carry on the attack.

The Malicious Code Signature

The infection is a block of obfuscated JavaScript. Here is the specific code block responsible for the infection found across multiple files:

(function(){
    try {
        // 1. Evasion: Checks for Admin bar to hide from site owner
        if(document.getElementById && document.getElementById('wpadminbar')) return;

        // 2. Anti-Analysis: Timing loop to fool security bots
        var t0=+new Date();
        for(var i=0;i<20000;i++){var z=i*i;}
        if((+new Date())-t0>120) return;

        // 3. The Payload Decoder Function
        function systemLoad(input){
            // ... (Base64 decoding logic removed for brevity) ...
            return dec;
        }

        // 4. Decoding the malicious URL
        var u=systemLoad('aHR0cHM6Ly9ha21jZG5yZXBvLmNvbS9leGl0bQ==');

        // ... (Injection logic follows to load the external script) ...
    } catch(e) {}
})();

Decoding the Malicious Payload

The attackers use Base64 encoding to hide the destination URL from simple text searches. In the code above, the variable u is set to the result of decoding a specific string.

We can manually decode this string to reveal the attacker’s command and control server. This encoded string is the unique signature you need to search for.

  • Encoded String (Signature): aHR0cHM6Ly9ha21jZG5yZXBvLmNvbS9leGl0bQ==
  • Decoded URL: https://akmcdnrepo[.]com/exitm

Once the script decodes this URL in the victim’s browser, it injects a new HTML <script> tag pointing to it. This external script is what performs the final redirect to the spam or phishing site.

Visual representation of the malware infection flow

How this JS Malware Injection Works

This script uses three clever tactics to stay hidden while performing the WordPress malicious redirect:

  1. Hiding from Admins (Evasion): The script checks for the WordPress Admin Bar. If detected, it stops immediately. The attackers know that if you saw the redirect, you would fix it. They prefer to quietly steal your organic traffic instead.
  2. Fooling Security Bots (Anti-Analysis): The code runs a “timing loop” to perform useless calculations. If this takes too long (often the case in slow security sandboxes), the malware assumes it’s being analyzed and “plays dead.”
  3. The Obfuscated Payload: As shown above, the core URL is hidden using base64 encoding to avoid simple detection methods.

Common Locations for Redirect Malware Files

As our case study showed, you cannot rely on finding just one infected file. Hackers aim for persistence. While any file can technically be infected, this type of js malware injection is most commonly found in:

  • Theme Files: Your active theme’s header.php and footer.php are prime targets because code placed there runs on every single page load.
  • Plugin & Theme JS Files: The malware often appends itself to the bottom of legitimate .js files within plugin and theme directories. This is what happened in our case study, where numerous files were infected.
  • Core JavaScript Files: Although less common than theme/plugin infections, the malware can sometimes target core libraries like /wp-includes/js/jquery/jquery.js or jquery-migrate.js.

Other common targets for different types of redirects include the server’s .htaccess file and even directly within the WordPress database.

Tools & Commands for Finding Redirect Malware

If automated scanners fail, you’ll need to use manual tools to find the infection on the server or in the code. Here are the best tools and commands for the job:

  • Sucuri SiteCheck: A free external scanner that sees your site as a visitor does. Excellent for detecting client-side JS malware injection.
  • VS Code (Visual Studio Code): Download your site files locally and use VS Code’s powerful “Find in Files” feature to search your entire site directory at once.
  • Chrome DevTools: Use the “Network” tab while visiting your site in an incognito window to see if your browser is making requests to suspicious external domains like akmcdnrepo.com.
  • WP-CLI: Use the command line to quickly verify if WordPress core files have been modified: wp core verify-checksums.
  • Linux Grep Commands: If you have SSH access, use grep to perform deep searches for malicious patterns directly on the server.

Grep Search Patterns for Redirect Malware

Searching for the domain name directly often fails because hackers obfuscate it. Instead, you must search for the unique Base64 encoded string found in the malware payload.

Use these commands in your WordPress root path (usually public_html):

# 1. Search for the specific encoded Akmcdnrepo payload (highly accurate for this variant)
grep -rn "aHR0cHM6Ly9ha21jZG5yZXBvLmNvbS9leGl0bQ==" .

# 2. Search for the behavioral signature used to hide from admins
grep -rn "document.getElementById('wpadminbar')" .

# 3. Search for suspicious script tags hidden deep in theme or plugin folders
# (Be careful, this may return legitimate results too)
grep -rn "<script>" wp-content/themes/
grep -rn "<script>" wp-content/plugins/

Why SEO Spam Redirects Destroy Your Rankings

WordPress SEO spam redirects are catastrophic for your search engine visibility. If your site suffers from a long-term redirect hack, the consequences are severe:

  • De-indexing: Google may remove your pages from search results to protect users.
  • Blacklisting Warnings: Browsers will display a giant red “Deceptive Site Ahead” warning to visitors.
  • Loss of Trust: Visitors who get redirected to phishing sites will lose trust in your brand instantly.

How to Fix the Malicious Redirect on WordPress

Because standard plugins may miss this type of WordPress redirect malware, a thorough, manual approach is often necessary.

Warning: Before starting, take a full backup of your site and database.

  1. Perform an External Scan: Use a tool like Sucuri SiteCheck to confirm if external visitors are seeing malicious code.
  2. Download and Search Locally: Download your entire wp-content folder. Use a code editor like VS Code to perform a “Find in Files” search for a unique part of the malicious code (e.g., the encoded string aHR0cHM6Ly9ha21jZG5yZXBvLmNvbS9leGl0bQ== or the wpadminbar check). This will reveal the true extent of the infection in your themes and plugins.
  3. Clean Plugins and Themes: The safest and fastest way to clean infected plugins or themes is to re-download fresh versions from their official sources and replace the existing folders on your server. Do not try to manually edit thousands of JS files.
  4. Replace Core WordPress Files: As a precaution, it is best practice to also replace your core files. Delete your /wp-includes/ and /wp-admin/ directories on the server and replace them with fresh copies downloaded directly from WordPress.org.
  5. Clear Caches: The malware often sets cookies to track users. Ensure you purge all server-side (CDN, Object Cache) and browser caches after cleaning.

Prevention Checklist: Stopping Future Redirect Hacks

Once you have fixed the WordPress redirect hack, you must harden your site to prevent reinfection.

  • Update Everything: Outdated plugins and themes are the #1 entry point for malware.
  • Remove Nulled Software: Never use “nulled” (pirated) themes or plugins. They almost always contain pre-installed backdoors.
  • Use a WAF: A good security plugin with a Web Application Firewall can block many attacks before they reach your files.
  • Change Passwords: Immediately change all administrator, FTP, and database passwords post-cleanup.

Frequently Asked Questions About Redirect Malware

Why did Wordfence not find the malware?

Some server-side scanners focus heavily on PHP files and known malware signatures. Sophisticated JavaScript redirect injections that execute client-side can sometimes evade these scans, especially if the code is new or highly obfuscated. External scanners that simulate a real visitor browser are often better at detecting these specific issues.

What is the Akmcdnrepo malware?

The Akmcdnrepo malware is a specific type of JavaScript redirect injection. It acts as a loader, injecting a script tag that fetches a malicious payload from the akmcdnrepo.com domain, causing the unwanted redirect.

Why does the redirect not appear when I’m logged in?

This is a deliberate evasion tactic. The malware checks for the WordPress Admin Bar cookie. If it detects you are an admin, it does not execute the redirect, allowing it to remain hidden from the site owner for longer.

Does this malware affect SEO?

Yes, devastatingly. SEO spam redirects will cause Google to flag your site as hacked, display security warnings to users, and eventually de-index your content, destroying your organic traffic.

How do attackers get the redirect malware onto my site?

The most common entry points are exploiting vulnerabilities in outdated plugins or themes, using stolen administrator credentials from a brute force attack, or through backdoors hidden in nulled themes.

Can I just delete the malicious code to fix the redirect?

Simply deleting the code you find is rarely enough. Hackers often leave multiple backdoors to reinfect the site. A complete cleanup involves replacing core files, fresh plugin reinstalls, database scans, and security hardening to close the initial entry point.

Need Expert Help Cleaning WordPress Redirect Malware?

As this case study shows, manual malware removal can be tricky. Relying solely on automated plugins might leave you with a partially infected site. If you miss a single hidden backdoor or infected JavaScript file, the WordPress malicious redirect will often return within hours.

If you want to ensure the infection is completely eradicated and your site is hardened against future attacks, I recommend professional remediation.

Get Professional WordPress Malware Removal Here

We specialize in cleaning complex, hidden infections like the Akmcdnrepo redirect hack that standard scanners miss. Our service includes complete manual deep-scanning, code cleanup, backdoor removal, and security hardening to prevent reinfection.

Don’t let hackers steal your traffic. Click here to secure your WordPress site today.

Explore Our Security Services

WordPress Malware Removal

Professional WordPress malware removal to clean, secure & restore your hacked site fast — trusted by 2300+ clients.

Custom Website Development

Build a custom, responsive & SEO-optimized website or web app with modern tech — tailored to your business goals.

Fix WordPress Errors

Diagnose and fix WordPress site issues — fatal errors, performance problems, broken layouts, plugin conflicts and more.

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)