URGENT: Can't get rid of this persistent malware redirect after multiple removal attempts!
0
guys, i am absolutely losing my mind here. for the past 48 hours, my main client's e-commerce site has been plagued by this relentless redirect issue and i just cannot get rid of it. iโve tried everything, spent countless hours, and it keeps coming back. i'm at my wit's end, seriously desperate for some help.
it's a wordpress site, running woocommerce, relatively small but critical for their business. the redirect is insidious; it doesn't happen on every load, maybe 30-40% of the time, and it sends users to these shady spam sites, sometimes even to a fake 'your system is infected' popup. it's intermittent enough that it's hard to catch in real-time but frequent enough to totally destroy user trust and conversions. sometimes it redirects to a completely different domain, sometimes just a blank page after a quick flash.
so far, i've gone through the usual playbook and then some. first, ran sucuri sitecheck, wordfence scans, malcare โ all reported cleanup, but the redirect returns. i've manually checked all core wordpress files against fresh downloads, looking for discrepancies. deleted suspicious plugins and themes, even ones that looked innocent. i painstakingly went through the database, checking for injected scripts in posts, options tables, comments โ found a few, cleaned them, but nope, still there. .htaccess file has been reset multiple times, checked for unusual redirects or rewrite rules. cleared all server-side and wordpress caches, cdn caches too. i even contacted my hosting support (siteground), they did their own scan, removed some things, but guess what? it came back a few hours later. i've changed all admin passwords, ftp passwords, database passwords. i thought i was pretty good at website hardening but this is just next level.
every single time i think i've nailed it, the site is clean for a bit, then boom, the redirect is back. it's like it's regenerating itself or there's a backdoor i'm completely missing. the scans say it's clean, then a few hours later, a new redirect instance pops up. it's not always the same redirect destination either, which makes it even harder to track. i'm just stuck in this loop of cleaning, thinking it's fixed, only for it to resurface. my client is getting really antsy and i'm running out of ideas.
what am i missing? are there any advanced tools or techniques for finding deeply embedded backdoors or persistent malware that regenerates? should i be looking at server logs more closely for outbound connections or suspicious cron jobs? what's beyond the standard security plugin/manual file check routine for something this stubborn? i'm open to anything, even a full server migration if that's the only way to ensure it's truly clean, but i need to understand the root cause first so it doesn't just happen again on a new server.
anyone faced this before? how did you finally get rid of it for good?
it's a wordpress site, running woocommerce, relatively small but critical for their business. the redirect is insidious; it doesn't happen on every load, maybe 30-40% of the time, and it sends users to these shady spam sites, sometimes even to a fake 'your system is infected' popup. it's intermittent enough that it's hard to catch in real-time but frequent enough to totally destroy user trust and conversions. sometimes it redirects to a completely different domain, sometimes just a blank page after a quick flash.
so far, i've gone through the usual playbook and then some. first, ran sucuri sitecheck, wordfence scans, malcare โ all reported cleanup, but the redirect returns. i've manually checked all core wordpress files against fresh downloads, looking for discrepancies. deleted suspicious plugins and themes, even ones that looked innocent. i painstakingly went through the database, checking for injected scripts in posts, options tables, comments โ found a few, cleaned them, but nope, still there. .htaccess file has been reset multiple times, checked for unusual redirects or rewrite rules. cleared all server-side and wordpress caches, cdn caches too. i even contacted my hosting support (siteground), they did their own scan, removed some things, but guess what? it came back a few hours later. i've changed all admin passwords, ftp passwords, database passwords. i thought i was pretty good at website hardening but this is just next level.
every single time i think i've nailed it, the site is clean for a bit, then boom, the redirect is back. it's like it's regenerating itself or there's a backdoor i'm completely missing. the scans say it's clean, then a few hours later, a new redirect instance pops up. it's not always the same redirect destination either, which makes it even harder to track. i'm just stuck in this loop of cleaning, thinking it's fixed, only for it to resurface. my client is getting really antsy and i'm running out of ideas.
what am i missing? are there any advanced tools or techniques for finding deeply embedded backdoors or persistent malware that regenerates? should i be looking at server logs more closely for outbound connections or suspicious cron jobs? what's beyond the standard security plugin/manual file check routine for something this stubborn? i'm open to anything, even a full server migration if that's the only way to ensure it's truly clean, but i need to understand the root cause first so it doesn't just happen again on a new server.
anyone faced this before? how did you finally get rid of it for good?
1 Answers
0
Tariq Koffi
Answered 18 hours agoHello Raj Gupta,
"i'm just stuck in this loop of cleaning, thinking it's fixed, only for it to resurface."I understand why your client is getting antsy (not 'antys'!) over this; persistent redirects usually indicate a deep `server-side compromise` or a well-hidden backdoor that regenerates, which standard `WordPress security` scans often miss. Beyond typical file and database checks, you absolutely need to conduct a thorough forensic analysis of all server logs, looking for malicious cron jobs, unrecognized user accounts, or unusual outbound connections before considering a clean migration. Have you specifically reviewed all server-level cron jobs and user accounts for anything suspicious?
Your Answer
You must Log In to post an answer and earn reputation.
Hot Discussions
2
Better ISP finder data?
218 Views