Website redirecting to malicious domain

I recommend to install a fresh copy of Really Simple SSL from the wordpress repository, and do the same for your WordPress install and all other plugins and themes.

Possibly your password has been compromised, or you have a plugin on your site with a backdoor (which is not this plugin).

I recommend to check your user list, and reset your password as well.

Sorry, I don’t want to blame or accuse the plugin of something, especially not if it’s not true. But it was (and still is) just a finding I wanted to share as soon as possible.

I installed the plugin again (after deleting) after downloading it from the WP repo and retried. Again the site redirected to the malicious domain after activating SSL. When activating the plugin without activating SSL in the plugin, the problem did not appear.

When disabling the plugin (via WP menu -> Plugins) with the option ‘keep https’, the problem was still there. Only when disabling the plugin via the checkbox and then disable from the dropdown (of WordPress), the problem disappeared. Any idea what this could be then or where to look?

It’s not my password or another user.

Something interesting I found out: when the plugin is disabled (and the problem is gone) and when I enable ‘always redirect to https’ in the iThemes Security plugin, the same thing happens. Could there be something in the script that does this redirect? Can you tell me where it is (from your plugin) so I know where to look?

It sounds as if it is not related to the plugin or iThemes, but is caused by the SSL redirect itself.

Please check your certificate on https://ssllabs.com/ssltest to see if it is configured correctly.

Both ipv4 and ipv6 return grade A.

It is possible the malicious code only triggers if the site loads over https. If there is malicious code on your site you’ll need to replace all plugins, themes, and wordpress with fresh installs from WordPress.

If you can share your domain we can take a look as well.

The problem seems gone now, but I’m still wondering/investigating where the redirect to the malicious site is. The domain is https://ontmoetingskerkvriezenveen.nl/

Hi @robertlindeboom,

Did you replace other plugins with versions from the WordPress repository as well? Most likely this was caused by a compromised plugin. I just visited your site and did not notice any malicious redirect either.

Glad to hear that this is solved!

Kind regards,
Leon

I didn’t replace everything (WP, theme, plugins) directly to see if the problem came back again, but it didn’t, so today I replaced all files from the repo. I didn’t see suspicious changed files with a date around the moment the problem appeared. Still scary to not know what the problem is, but I think it’s nice that it’s gone for now.