Redirection Hack: a case study

Several hacked sites we recently repaired had the same exploit, which can be tricky to detect by most site owners. We’ve seen this one enough that we feel it is important to let you know what to look for.

A good friend of ours mentioned as an aside that his site kept getting hacked and though his more technically adept relative had cleaned up the immediate problem, whenever someone attempted to look up his site on a search engine they were met with a list of spam sites (viagra ads and the like) all listing HIS site as the web address. He had no idea how that happened, much less how to fix it.

Here’s what was going on: There’s a file at the root of most websites named “.htaccess”. This file has a bunch of specific directives on how to handle various traffic to your website – for instance, if you redesign your site and change some of the page names (for instance, from “” to “”) it can be used to redirect visitors to the new page. Without redirecting the visitor would end up on your Not Found page, which is frustrating for them and not a good customer service practice.

If hackers gain access to this file they can redirect your visitors anywhere they want, and that’s exactly what happened in these cases.

The hackers had written a set of directives which said in essence “If the visitor is coming from Google, Bing, etc (listing all the big search engines), then please redirect them to one of a list of spam sites”. So when the search engines crawled the site they were also redirected, and the web address was associated with the spam sites on the search engine.

So it might be a good idea to search your own site from time to time. If you happen to run into a similar problem on your site – or someone else’s – we can help.

All of the sites managed by are protected against this kind of hack, of course. The sites alluded to above were running vulnerable versions of WordPress and plugins which were the likely entry for the hackers. The sites are now new clients, being kept up to date by us.

Posted in Hack.