Wordpress website is automatically redirecting after load

Question

Hello,

I asked the following question on SuperUser.com and the question was closed. Maybe it should be asked on ServerFault.com. Not sure.

But here it is on SO hoping it will get some traction.

Hello,

I have a wordpress website. It is NOT a wordpress.com website. This website is hosted at godaddy.com This weekend whenever I fired up my browser and loaded the landing (or any other page) there it would load (firefox would say "Done") and then after a 1 second pause the browser would redirect to some seemingly random website.

Unfortunately (or fortunately?) this is an intermittent problem.

I use difficult to break passwords for my wordpress admin.

Any ideas on how to troubleshoot or what the problem is?

Seth

EDIT
Yes, the url is http://www.meeting-minutes.org. For the record, the reason I did not include the url when I reposted my question here is because I thought that someone might think that I am just trying to promote the software that I reference on the website. That is genuinely not my purpose.

EDIT Thanks for the help. I have taken the site down by simply renaming the hosting folder (so it now returns a 404 which is fine.) I will clean it up and redeploy after cleaning it up.

For the life of me I don't know how this could have happened.

Seth

Answer 1

Your Weblog has definitely been hacked. I can see very evil-looking JavaScript code in the source code of your blog:

<script language=javascript>document.write(unescape('%3C%73%63%72%69......

It is probably code to redirect to other sites, as you say. Your Blog's security must have been compromised somehow, this is definitely in your template's source code.

You should download everything and take the site down immediately to protect your visitors, and your site's reputation (to prevent it from getting on any malware blacklist). Check out the "Getting your site off line" chapter in the 2nd link. I don't know which version of Wordpress you're using, maybe WP's forums can be helpful in finding out how the break-in occurred. Maybe it's also a good idea to inform the hosting company and see whether they can provide any additional information. If you have access to any log files, fetch a copy and look whether they tell you anything.

Links:

• Google Webmaster Tools: My Site has been hacked

• My site's been hacked - now what? Very nice article on Google Webmaster Central

For later maybe:

• Hardening WordPress

Answer 2

I would try accessing the site with JavaScript turned off. That would be a quick way of verifying if someone had put that in an onLoad. It certainly could have been written to fire intermittently.

If you have file access to the server, I would look at the .htaccess file, which might have rewrite rules in it.

Lastly, I would try accessing the website by IP address to detect DNS problems, but I find it highly unlikely it would work that way.

Don't forget to look closely at changes to your theme, which is the most likely avenue of attack.

Answer 3

Specific to Wordpress (and linked numerous times in the Wordpress forums): FAQ: My site was hacked « WordPress Codex and how-to-completely-clean-your-hacked-wordpress-installation.