I will tell you how a WordPress website got hacked and was infected with a script that performed an off-site redirection for about 70% of the organic traffic.
Intro: On an older hosting account, I had a few websites forgotten there, but I also had a good website with some nice traffic. In December 2015 I was waiting for some nice money out of this website, but surprise – it was the worst month of 2015.
Investigation: I started digging to see why i had such a low traffic on what was the best month of the year, December. My first thought was that Google updated their search algorithm and I got penalised. I entered in Google Search Console (Webmaster Tools) to check the indexing, the impressions and the search ranking. All was good there: high traffic. Then i checked Google Analytics and i could not see the high organic traffic from Search Console. This never happened to me before: Search Console showing more traffic than Analytics. Something was wrong there.
Found the problem: I was inspired to go to Google and do a search for a querry I knew I was ranking in top 5 results to see if it’s all good. My website was still in the top 5 results (with an incognito search) and I clicked on it. When I entered, it immediately redirected me 3-5 times, till I reached an app download page. Then I knew that I was hacked.
The first thing I did was to check other querry search to see if this will have the same redirection. And it did. Then I wrote an email to my hosting provider telling them what is happening with my website and to see if it is a DNS hack problem, since it was a redirection problem. They responded to me that the DNS has no problems. Tey checked other common problems to find the source of the redirection and I was told that I had a malitious script in the header.php file, in the active theme foloder. I manually checked the file in cPanel and I found the script that caused the redirection:
I deleted it and then checked to see if it was still redirecting organic traffic. It did not. Then I manually checked the .php files in the theme folder for a similar script, but found none. I also installed a new WordPress on an unused subdomain, copied the WordPress files and replaced all the WordPress files from the website. It was like a brand new WordPress install.
I deleted the old websites from that server and only maintained this newly repaired WordPress.
Remember always to update your themes, plugins and WordPress platform.
Since then, I had no problems with my website.
I also used this Chrome Extension to see the redirect path: Redirect Path.