Downloading premium themes from torrents and other sources will cause auto redirection to other websites on mobile devices. For example, when your website comes on google search and someone click on the link then it will automatic redirect to the other site like http://happy-wheels-2-full.com etc. If you directly type your site’s URL on mobile and you are logged in your wordpress dashboard then it will not occur. Auto redirect will only occur when your site appears on google search result and you are not logged in your wordpress dashboard. Pretty intelligent programming by hackers ! Basically, they use base64 encoding to hide their code on your WordPress theme script.
So now the question is, how to get rid of it ?
Please watch the video, you will get the idea that how this malicious code can be removed from your site.
This is the line of code
aHR0cDovL2hhcHB5LXdoZWVscy0yLWZ1bGwuY29tLw== that is actually the address of http://happy-wheels-2-full.com/ as it was base64 encoded.
You can also encode and decode base64 codes here:- https://www.base64decode.org/
If you WordPress site redirects to other site and you cannot find any base64 encoding on your functions.php file then search it on-
You can scan for base64 decoding by getting a shell on your WordPress server and running the following in the root of the WordPress installation directory:
grep -r base64_decode *
In this case, we used winSCP to run terminal command. Simply download it and run the above code and search for malicious code.
Let us know if you need any help regarding this issue.