WordPress site infected with malware causing redirect to external domain even after disabling plugins and theme
I’m dealing with a persistent malware issue on a WordPress site that redirects all traffic to:
https://www1.newsus.app/mpc/
Here’s what I’ve already tried and checked:
The site is hosted on Hostinger
I reviewed and cleaned:
.htaccessindex.php
The folder
/wp-content/mu-plugins/is emptyI renamed the entire
/wp-content/plugins/folder (so all plugins are disabled)I also deactivated and changed the active theme
Even with plugins disabled and the theme changed, the redirect still happens
I discovered that the original theme (Impreza – premium, but outdated) seems to be infected
Cloudflare is enabled, but the redirect still happens even when bypassing cache
The redirect happens immediately when accessing the site, both on frontend and admin.
At this point, I’m suspecting:
A hidden PHP file injected somewhere else (maybe
wp-includes,uploads, or root)A compromised database option (like
siteurl,home, or injected JS/PHP)Server-level infection or cron job
My questions:
Where else should I look for hidden malware that survives plugin and theme deactivation?
Are there common places WordPress malware hides that are often overlooked?
Could this be coming from the database or server-level scripts?
Any recommended steps or tools to fully trace and remove this type of redirect malware?
Any help or guidance would be really appreciated. Thanks!
wp_optionstable which contains thesiteurlandhomesettings. Check yourwp-config.phpas well to make sure those values aren't hardcoded.