WordPress website gets redirected if coming from Search Engines.

I’ve decided to rewrite this article in English as many people seems to have the same trouble, but is very hard to find the solution. If you want this article in Japanese, click here. この記事の日本語版 “ワードプレスサイトが検索エンジンから来ると自動的に転送されてしまう症状” は左記リンクをクリックして下さい。

If you’re having trouble at your own site or manage a site that all the sudden did the same thing and want to fix it, just go to the end of this page so the solution.

The beginning of this matter was when I googled my own site and clicked on it, it gets redirected to a “googesearch.biz” domain

At first, I thought that my PC got infected with a virus. But when I directly typed in the URL, it does not get redirected at all. Well, very clever. Anyway, I didin’t know what has caused this matter, so I cut my PC from the web and made a virus check, waited the entire night. But nothing.

Next, I made a check with “malwarebytes” to the entire system but nothing at all. So, now, what should I do? I made my decision to step on the mine once again.
Malicious website screen that looks like google from few years ago.

After when the site got redirected successfully, it gets redirected again to another site.

The process are as follows:

  1. When an infected site gets searched in a search engine such as google, and the user clicks on it,
  2. and the infected site loads partially, or loads entirely, it gets redirected automatically to an URL address starting with “http://googosearch.biz”.
  3. Furthermore, when the “http://googosearch.biz” site loads successfully, it redirects to another site, at which my time was a sweepstakes site.
  4. If the “http://googosearch.biz” site does not load successfully, it just stays on that website that looks like a google site that looks a bit old.

The “googosearch.biz” domain gets redirected to the IP address of “”. This IP address is for “googosearch.biz” and it redirects everything from what it get searched such as from google

This time, the search term of “802.3at” has been used to search Ragnite Blue in google.


Malicious website screen that looks like google from few years ago.

After, when the the website gets successfully redirected, it gets redirected to the URL similar to below.

But, a popup appears first.

Popup screen when you have successfully loaded this malicious website.

Popup screen when you have successfully loaded this malicious website.

WordPress Theme Redirect

Screenshot of this malicious website.

Like those malicious softwares that looks like the antivirus softwares, this website is trying to look like google. However, its like the old google’s website and also, it can be seen that it failed to completely copy the google website and/or partially loaded google website.

Now, if you’ve installed malwarebytes and tried accessing this land mine, malwarebytes successfully denies access to this malicious website of “googosearch.biz”.

WordPress Malicious Theme Redirect

Loading this malicious website using Chrome

WordPress Theme Redirect

Malwarebytes successfully blocking this malicious website.


09:47:38	Administrator	IP-BLOCK (Type: outgoing)
09:47:41	Administrator	IP-BLOCK (Type: outgoing)
09:47:47	Administrator	IP-BLOCK (Type: outgoing)

As it was blocked, Chrome couldn’t load the page.

WordPress Theme Redirect


Below is the code from the redirected malicious website “googosearch.biz”‘s html code. Do not use it for bad things! 

Website code deleted as it is just cosmetics.

Below is the code that actually does the bad thing that is implemented in the “functions.php” file.

Actual code has been deleted but saved as a text file for informational purposes below.

If you’re having this problem, just delete the above code from your “functions.php” file and upload the corrected file to your server and everything shall be good as before!

このページの短いURL: https://thejuraku.com/pc/?p=723
103 queries in 0.200 seconds.