WordPress redirects to a casino: how to stop it

When a visitor clicks through to your site from Google and lands on an online casino or a betting site, you’re dealing with a WordPress redirect hack. It’s one of the most common compromises, and one of the most confusing: you type your address into the browser, everything looks normal, yet your customers keep telling you the site is sending them somewhere else. This article shows you where the redirect code hides, how to remove it, and how to confirm it won’t come back.

Why the redirect only shows up from Google or on mobile

If you never see the problem when you type your URL directly, that’s expected. Attackers use a technique called cloaking: the redirect code only fires under certain conditions, so it stays invisible to the site owner.

In practice, the injected code checks several things before deciding whether to redirect the visitor:

• The referer. If the visitor arrives from a Google or Bing search result, they get redirected. If they type the URL directly (empty referer), they see the normal site.
• The device. Many redirects target mobile only. On desktop nothing happens; on a phone, the visitor is sent off to the casino.
• The cookie. Once redirected, the visitor usually gets a cookie that blocks a second redirect, so as not to raise suspicion.
• The IP address and user agent. The code skips admin IPs and the bots it has reason not to alert.

The result: you, logged into your admin from your computer, never see anything. Your customers arrive from Google on their phone and end up on sports betting. To reproduce the bug, open your site from a Google search in a private window, ideally on mobile.

The usual hiding spots for redirect code

The code can sit in several places at once. You have to check all of them, or the redirect persists.

The .htaccess file at the root

This is hiding spot number one. Open the .htaccess file at the root of your installation (the same level as wp-config.php). A clean .htaccess holds the standard WordPress block between # BEGIN WordPress and # END WordPress. Be wary of anything sitting before or after that block: RewriteCond rules that test HTTP_REFERER or HTTP_USER_AGENT, RewriteRule redirects to an unknown domain, or hard-to-read encoded code.

RewriteCond %{HTTP_REFERER} google [NC,OR]
RewriteCond %{HTTP_USER_AGENT} android [NC]
RewriteRule ^(.*)$ http://casino-domain.xyz/ [R=301,L]

If you see lines like these, delete them. Also check the .htaccess files inside wp-content/ and wp-includes/, where there should be no redirect rules at all.

The wp_options table in the database

Two traps here. First, the siteurl and home fields: if they point to anything other than your real domain, the entire site goes elsewhere. Check them with phpMyAdmin or in SQL:

SELECT option_name, option_value FROM wp_options
WHERE option_name IN ('siteurl', 'home');

Next, look for options with random names you never created (strings of letters like wp_a1b2c3 or odd-looking names). Attackers use them to store JavaScript or a PHP script that another file runs. List the largest options to spot the anomaly:

SELECT option_name, LENGTH(option_value) AS size FROM wp_options
ORDER BY size DESC LIMIT 30;

The table prefix may differ from wp_ on your installation. Adjust based on your wp-config.php.

The theme: functions.php and header.php

The attacker often adds a few lines to the active theme’s functions.php (wp-content/themes/your-theme/functions.php) or injects a <script> into header.php. Look for PHP functions that use base64_decode, eval, gzinflate, or str_rot13: that’s almost always obfuscated malicious code. Compare the file with a clean copy of the theme downloaded from its official source.

Injected JavaScript

The redirect can also happen on the browser side, via a <script> added to your pages (often a conditional window.location, or a script loaded from an external domain). Inspect a page’s source (right-click, “View page source”) and spot any script pointing to a domain you don’t recognize.

The mu-plugins

The wp-content/mu-plugins folder (must-use plugins) is run automatically by WordPress and does not show up in the normal plugins list. It’s a favorite hiding spot. If that folder exists and contains .php files you didn’t install on purpose, that’s very suspicious. Inspect them before deleting.

How to remove the redirect, step by step

1. Take a full backup (files + database) before touching anything. If you break something, you can roll back.
2. Clean the .htaccess: remove any suspicious rule. When in doubt, regenerate a clean .htaccess from WordPress permalink settings.
3. Fix wp_options: set siteurl and home back to your real domain, and delete the random-named options you identified as malicious.
4. Restore the theme: replace functions.php and header.php with clean versions, or reinstall the theme cleanly.
5. Delete injected mu-plugins and any stray .php file in wp-content.
6. Reinstall WordPress core from the admin (Dashboard, Updates, “Reinstall Now”) to overwrite any modified wp-includes or wp-admin files.
7. Clear every cache: your plugin cache (WP Rocket, W3 Total Cache, and so on), server cache, CDN cache such as Cloudflare. Until the cache is purged, the old redirected version keeps being served.

For the full disinfection procedure, follow our guide on what to do when WordPress is hacked.

Confirming the redirect is really gone

Don’t rely on a quick glance from your admin: because of cloaking, it proves nothing. Test under the real conditions of the hack:

• From Google, search for your site and click the result, rather than typing the URL.
• In a private window, to avoid your browser’s cookies and cache.
• On mobile, or by simulating a mobile (browser dev tools, mobile device mode).
• With Google Search Console’s URL inspection tool: it fetches your page the way Googlebot does and shows you what Google actually sees, cloaking included.

Run several tests, on several pages, including the homepage and a few posts.

Why you also have to find the backdoor

Removing the redirect isn’t enough. If the attacker left a backdoor (often a small PHP file stashed in wp-content/uploads or elsewhere), they’ll re-inject the redirect within hours or days. You clean the .htaccess in the morning, it’s reinfected by evening.

A backdoor often looks like a file with an innocent name (wp-cache.php, class.php, a .php dropped in an images folder) containing obfuscated code. Look for recently modified PHP files and any .php sitting in folders that shouldn’t have them, like wp-content/uploads. As long as the entry point stays open, the cleanup won’t hold.

This same kind of intrusion also creates fake content: if you see pages you never wrote appearing, see how to remove casino spam posts.

Quick prevention

Once the site is clean, cut the risk of a repeat:

• Update everything: WordPress core, theme, plugins. Most hacks exploit a known flaw in a plugin that wasn’t updated.
• Change every password: WordPress admins, FTP/SFTP, database, hosting panel.
• Delete any admin account you don’t recognize.
• Install a security plugin (Wordfence, Sucuri, and so on) to monitor file changes and block attacks.
• Watch file permissions: 644 for files, 755 for folders, and wp-config.php at 600 if your host allows it.

If your site was flagged by Google during the infection, also plan to remove the Google warning once the cleanup is done.

FAQ

Why do I only see the redirect on my phone? Because the injected code deliberately targets mobiles and skips desktops. That’s cloaking: the attacker maximizes the traffic they capture while staying invisible to you, since you administer the site from a desktop.

I cleaned the .htaccess but the redirect came back. Why? There’s still an active backdoor on the site, or a second infected spot (database, mu-plugin, theme). As long as the backdoor isn’t removed, the redirect code gets re-injected automatically.

Should I notify Google after the cleanup? Yes. Once the site is clean, request a review through Search Console to lift any “This site may harm your computer” warning and speed up reindexing of the clean pages.

---

If you want to cut to the chase, WP-Detox offers a free scan that shows you exactly what’s detected on your site: redirect rules, malicious options, backdoors. A full cleanup takes about 30 minutes, at €149 all-in, with a backup taken before any action. If we can’t clean your site, you get refunded.