Site that was hacked has a 404 problem when accessed through Google, but not otherwise

Site that was hacked has a 404 problem when accessed through Google, but not otherwise

Talia

Member
Local time
10:07
Joined
Jan 21, 2020
Messages
84

OK, this is not exactly a traditional SEO problem, but it's related to search engines, so I guess it fits?

I have a client whose site is having a weird problem. It's a WordPress site that was victim of a cross-scripting attack. I cleaned up the malicious files using Wordfence, and just browsing around the site, it appears the problem is cleared up. The problem is, if you go to any page on the site through Google, it leads to a 404 page, because the site is attempting to redirect you to a malicious page that was deleted. Here's the weird part, though... this ONLY happens when you are going to the page through Google or another search engine. If you go to the exact same URL through your address bar, the 404 problem doesn't come up at all. It works just fine.

As an extra interesting layer, I tested with a couple other search engines - Yahoo, Bing, and DuckDuckGo. Yahoo and Bing have the same results, but DuckDuckGo works just fine.

Any ideas as to what could be causing this?

 

Adam

Mr. Webwide
Administrator
Local time
16:07
Joined
Sep 24, 2019
Messages
1,254
Pronouns
he/him

There is still some malicious code in your website that is detecting the referrer of popular search engines (but missing DDG) and redirecting accordingly.

I have found that WordFence has missed code injected in to a theme before. Could you try reinstalling all plugins from repo versions and the theme from its source if it is not custom? (Back-up first).

Also start with a fresh WordPress default .htaccess.

I'm gonna move to CMS since this is a WordPress issue. :)

 
Last edited:

Adam

Mr. Webwide
Administrator
Local time
16:07
Joined
Sep 24, 2019
Messages
1,254
Pronouns
he/him

The reason that hackers do it this way is because it is less likely to be detected by the site owner who would ordinarily access their site via URL or bookmark rather than search engine.

 
Last edited:

Talia

Member
Local time
10:07
Joined
Jan 21, 2020
Messages
84

Gah, that was fast. Now I feel the past hour of mindless Googling was wasted...I should've come here first :)

Thank you so much. That makes total sense. I was really mystified.

 

Adam

Mr. Webwide
Administrator
Local time
16:07
Joined
Sep 24, 2019
Messages
1,254
Pronouns
he/him

Gah, that was fast. Now I feel the past hour of mindless Googling was wasted...I should've come here first :)

Thank you so much. That makes total sense. I was really mystified.

No worries! If you check the page source I imagine you will see some garbled looking code. But yeah, a bit more manual clean-up required. 😋

It will be worth going to the 'Update WordPress' page in the wp-admin and clicking re-install WordPress. This will replace all your core files with fresh ones just in-case any of those have been contaminated also but not mess up any data (in theory, back-up before!).

Really the best thing is to restore to a back-up that isn't compromised and then secure but appreciate that is not always an option.

 
Last edited:

Talia

Member
Local time
10:07
Joined
Jan 21, 2020
Messages
84

FYI, the problem was indeed a redirect in the .htaccess file that only applies when the user agent or referrer was one of the major search engines. So you were right on the money. Once again, thanks so much! :)

 

Adam

Mr. Webwide
Administrator
Local time
16:07
Joined
Sep 24, 2019
Messages
1,254
Pronouns
he/him

FYI, the problem was indeed a redirect in the .htaccess file that only applies when the user agent or referrer was one of the major search engines. So you were right on the money. Once again, thanks so much! :)
Woop! Very glad we could help get that sorted for you. Nice work.

 

blaq

🌱
Gold Member
Local time
11:07
Joined
Oct 18, 2019
Messages
48

I think you have to check your .htaccess and update your theme or js and PHP files for wp core I think its alway overridden on every update.

 
Top