How to Fix WordPress Redirects to cloudcdnstatic.com & citadores.com

By Adrian StoianGuides

Malicious WordPress redirects are a common way of exploiting websites. Recently, the attacks have become more sophisticated in a way that visitors are redirected once on their first visit. Some malicious redirects will be triggered only when the visitors interact with a page element—this will avoid scanning detection on page load.

If your website is experiencing suspicious redirects, you have legitimate concerns about malware contamination. Here are the main steps you need to take:

Try our free site check.

A malware analyst will provide a security report for your website.

Step 1

  • Perform a site backup, including website files and database. It will prevent further data loss.
  • Take down the website and replace the homepage with a temporary HTML page—it will prevent reputation damage.

Step 2

  • Perform a visual file inspection, checking the core files, plugins, and themes folders—look for any suspicious traces of malware. It’s a common practice to install code snippets plugins and hide them from the dashboard.
  • Run a malware scanner, and look for malicious files.
  • Reinstall the core files and get fresh copies of each site component to remove any hidden malicious code. Avoid using nulled plugins or themes.
  • Review the users list with administrator privileges, and change all the passwords.
  • Isolate each WordPress site, if you’re using a single shared hosting account for two or more websites.

Step 3

  • Register the website with Google Search Console and ask for a reindex.
  • Review the blacklist status, and address each issue individually.
  • Install and configure a firewall, which will keep the website protected.
  • Apply all the available security updates.

The citadores.com domain used in this attack was last updated on Feb 1, 2025. The real host is hidden using the Cloudflare DNS filter. The nameservers are: elinore.ns.cloudflare.com, and kevin.ns.cloudflare.com.

If your organization is affected by malware related to this domain, you may fill out a Cloudflare report here: https://abuse.cloudflare.com/

It appears that the hosting provider behind www2.citadores.com is IP Volume, Seychelles. More details:
INT-NETWORK, SC
[email protected]

A second domain used in this attack is compassionanxiously.com, registered 45 days ago on Feb 11, 2025. This domain is hosted on 172.240.108.68, by Servers.com, Inc. The same IP can be found in the AbuseIPDB database.

Malicious domains: compassionanxiously.com, bandogsogtiern.top, citadores.com, and cloudcdnstatic.com.
Bad URLs:
https://www1.newsus.app/mpc/
https://tnews.contentraffic.com/?news
https://lyubov.empatiya.net/?news&p
https://www2.citadores.com/mpc
https://compassionanxiously.com/emr2zm1sk

Hacked website? Try our free site check.

A security analyst will perform a free thorough external site check within the next minutes.

Magefix Platinum