If your WordPress website has ever been hacked, you know there is a lot of cleaning up to do after cleaning up the database, files and of course spiced up your security, right?

In many cases, the hackers use the hacked website to inject spammy URLs containing pharmaceutical or other content on your website. Perhaps even more malicious code, but that’s for another post another day.

One thing is cleaning up the hack, removing all the bad code and securing your website for future attacks. But what about the spammy URLs?

Fortunately, it is quite easy to make 301 redirects in WordPress – the manual way by editing the .htaccess file or the redirect feature in the WordPress SEO plugin by Yoast – Check out our comparison between Yoast and AIO SEO Pack.

I use the excellent Redirection plugin by John Godley at urbangiraffe.com when I need to handle redirects. I have used it for years, it’s easy to use, stable and flexible.

Hand holding a 404 error on a piece of paper
404 errors can effect your SEO rankings

The problem is when you have been hacked and have thousands of bad URLs you want to redirect, it is a hassle to do manually.

So, I decided to create a solution that automatically redirects 404 to 301 pages, and even cleans up the unused ones.

There are several ways this can be implemented, but for me, I just edited the 404.php page in my theme.

This means the first time a visitor (or robot) visits the URL, the 404 page is presented, as well as a 404 HTTP status. On any future visits to that URL, a 301 redirect is sent to the URL of your choice. Easy, right?

The first time a visitor goes to  /buy-pills-of-some-kind.html :

A 404 page is presented, and the code below creates a redirect that is then handled by the Redirection plugin in the future.

Second (and following) visits /buy-pills-of-some-kind.html :

A 301 redirect to the URL of your choice.

Voila 🙂

When you make 404 redirects to the front page you create what are called “soft 404” – The best way to redirect missing content would be to redirect the content to another related page instead of the front page of your website.

Warning: The following code can mess up your website if you do not know how to use it or understand the consequences. Please, be careful 🙂

Enough with the disclaimer, here is the code. If you do not have a 404.php file in your WordPress theme, create it.

The code is not pretty right now. Feel free to update as you see fit 🙂 Perhaps I will one day improve it when I have more time.

Crucial technical detail: The Redirection plugin runs and handles redirects before the 404.php template is called.

Under normal circumstances, I would have had to create a ton of redirects manually for the spammy URLs. By using this code the redirects were created automatically.

A few technical notes

Notice the last_count column? The ones that have “0”, means the redirect has been created, but no subsequent visits made (yet) to that URL.

The ones with “1” mean the page has been accessed twice. The first time just creates the redirect and presents a normal 404 page. The second time the redirect kicks in, and the “last_count” is updated.

All of this is handled by the Redirection plugin… Thank you, John, for the great plugin 🙂

Cleaning up old redirects

As you can imagine, there can quickly be a lot of redirects filling up in your database. The Redirection plugin monitors not only the number of redirects but also when the redirect was last accessed.

This means we can create a small piece of code that checks and deletes all redirects more than x days old.

I think 21 days (3 weeks) is a reasonable amount of time. The code below checks if there are any redirects that have not been accessed/used in more than 21 days, and then just remove them.

Let me repeat: Be very careful when you implement this. If you mess up you can set up redirect loops that prevent you and your visitors from accessing your website completely.

If you should be so unlucky to create a redirect loop, you fix the problem by using PHPMyadmin or similar tool to access your database. Look for the table normally called “wp_redirection_items” (the wp_ part might differ).

The redirects are in there. You can locate the faulty redirect(s) here and remove them, restoring your website.


How to do 301 redirect videos

Here are a few videos that might help you if you want to just deal with regular redirects in WordPress

or perhaps this one that uses the redirects feature in the SEO plugin by Yoast.