New to the community? Start here

Redirects showing on site

We have GTmetrix report stating we have several redirects on site and not sure where they are coming from.

Thu, 11 Jun 2020 23:31:08

Predrag Dubajic
- Support
- 4,417 pts: Hero points 32,655 pts: Rep. points LEVEL 30
Hi Kimroy Bailey ,

Have you made some changes on your site in the meantime and found a cause of the redirects?

I’m asking this because I’ve run couple of tests on GTMetrix and only redirects that are left now are these two:
```
https://kim*****ley.com/wp-content/plugins/jetpack/https://stats.wp.com/s-202024.js
https://kim*****ley.com/wp-content/plugins/jetpack/https:/stats.wp.com/s-202024.js
```
And those seem to be a known bug in JetPack:
https://wordpress.org/support/topic/failed-to-load-resource-20/#post-12975150

Best regards,
Predrag
TrottBaileyFamily.com
- Site Builder, Child of Zeus
- 68 pts: Hero points 194 pts: Rep. points LEVEL 4
Hello Predrag,

I have not made any changes to the website since this ticket opened. I just ran a test and I am seeing multiple redirects.

Here is a list of the redirects I am seeing and the in order in which they appear.

a.clickcertain.com
i.liamdm.com
i.liamdm.com
a.clickcertain.com
cm.g.doubleclick.net
a.clickcertain.com
secure.adnx.com
a.clickcertain.com
x.bidswitch.com
x.bidswitch.com

Here is a link to the GTMetrix test https://gtmetrix.com/reports/kimroybailey.com/fXUBom4K

Thanks,
KB
Adam
- Support Gorilla
- 7,320 pts: Hero points 37,481 pts: Rep. points LEVEL 30
Hi Kimroy Bailey

Thanks for response!

It’s interesting actually – I can see those redirect on the report that you shared but when I run a new one on my own, no redirects were reported. So I run some more testes and found out that they appear to be “region specific”:

– when I run GTMetrix test from “Vancouver, Canada” location I got same redirect chains reported
– when I run GTMetrix test from “London, UK” location I’m not getting any redirects reported

I didn’t test other locations but I think it’s related.

Note: all these URLs are not really separate redirects; your report shows just three “redirect chains”, in this case the first one being initiated by “a.aclickcertain.com” URL, the second one by another “a.clickcertain.com” and the third one by “r.fidelid.com”.

The “clickcertain.com” seems to be legitimate (or at least “semi-legitimate”:wink: RTB ad (Real Time Bidding) platform but I think you’d know if you were using it on purpose.

It doesn’t seem like you’re serving any ads on site on purpose, right?

In such case it’s very likely that the site is infected (and equally possible that the code only executes for certain selected regions of the world). So I took a liberty of installing Defender on site again and running its Malware scan again.

It didn’t detect anything meaningful but I noticed something else and I think it explains a lot of things.

Here’s the thing:

1) I can see on the list of your sites that site seems to be hosted with us
2) but Defender returned very unexpected file paths as a result of the scan (non suitable for our hosting)
3) then if I access site via SFTP I see that Defender was installed there yesterday and yet it wasn’t installed currently on site
4) I also checked in WPMU DEV Dashboard and it points to some other servers (I think GoDaddy’s)

Since the domain is directed through CloudFlare, I can’t go “past that” to see what happens next but it seems that for some reason the site might be served from different servers depending on the end-user location – probably it’s set in CloudFlare to point to multiple A and/or CNAME records and that acts like a sort of “load balancing”.

This makes it really difficult to troubleshoot anything also as

– I don’t really know for which test which version of the site is server
– I might be working on one at one moment and next time on another one
– one of the sites might be infected

it’s quite an “uncommon” case but I’d start with this:

– decide and let me know whether the site should actually be served from WPMU DEV Hosting or from that other host

– if domain is about to be directed through CloudFlare all the time, please double-check at domain registrar that it is pointing there to CloudFlare only and no other server

– and then at cloudflare make sure that it has A/CNAME records set ONLY for the target server (may it be WPMU DEV hosting or that other one) where the site is supposed to be.

This would be a starting point that should then give us consistent test results and ability to further test (and if necessary – clean up/adjust the site).

Best regards,
Adam
TrottBaileyFamily.com
- Site Builder, Child of Zeus
- 68 pts: Hero points 194 pts: Rep. points LEVEL 4
Hey Adam,

Thanks for your comprehensive breakdown.

For starts, we recognized an error on our part where there were duplicate entries of the root domain pointing to separate hosting packages one at WPMU Dev and the Other at GoDaddy. We have removed the duplication, the domain to now points exclusively to WPMU Dev Hosting. I hope this enhances your ability to further narrow down and continue your troubleshooting.

For the record we are not running any ads on our site, We would like all instances of the domains to be removed if possible.

Thanks for your time and we are at your disposal should you have any additional questions or pointers.

Regards,
KB
Adam
- Support Gorilla
- 7,320 pts: Hero points 37,481 pts: Rep. points LEVEL 30
Hi Kimroy Bailey

Thanks for response and for sorting out the DNS issue.

The site seems to be now consistently served from WPMU DEV Hosting so that part is fine.

I’ve done some more investigation on this but I must say I still didn’t progress much:

-none of the scans that I done (Defender, Wordfence – I installed it temporarily just to scan and removed afterwards, Sucuri Health scan online) detects any threat

– I have manually reviewed installation on server, checking files and database and didn’t find any signs of infection and any possible sources of such redirects

Yet, GTMetrix still detects it and still only if tested using certain test locations.

After further review of site configuration I’m thinking:

– either I have missed something and there is some infection – but that’s quite unlikely
– or there is an infection but not on site but on one of the 3rd-party services site connects to (as in “services it uses” or JS libraries it fetches from external locations) – in which case it should be identified and those services’ operators should be notified
– or, which suddenly starts to sound quite likely, one of the 3rd-party services that you are integrating on site is actually either publishing ads in some regions or at least doing extensive visitor/customer tracking.

Having said that, I have also asked my Second Line Support colleagues to give it another round of investigation, hoping that if I missed something, the “second pair of eyes” will spot it.

I’d appreciate some additional does of patience as it might take them a bit longer to get back to us (as they are dealing with lots of complex task on daily basis) but we’ll update you here again as soon as we get any further information.

Best regards,
Adam
TrottBaileyFamily.com
- Site Builder, Child of Zeus
- 68 pts: Hero points 194 pts: Rep. points LEVEL 4
Thanks Adam,

You have been very prompt with your responses and updates.
We are patiently waiting for Tier 2’s response.

Regards,
KB
Tho Bui
- SLS
- 962 pts: Hero points 2,249 pts: Rep. points LEVEL 12
Hey there Kimroy Bailey ,

As I checked, if we deactivate plugin MailChimp Forms by MailMunch and then go to Hummingbird Pro -> Dashboard clear the cache will fix this issue, as I did on the staging site:
https://gtmetrix.com/reports/kimroybailey.staging.wpmudev.host/FzurVepu

So can you check with the developer of this plugin about this issue?

Kind Regards,
Tho Bui
TrottBaileyFamily.com
- Site Builder, Child of Zeus
- 68 pts: Hero points 194 pts: Rep. points LEVEL 4
You are a HERO Tho!

Our team has removed the Mailmunch plugin and all redirects have disappeared. Thanks a million.

Best
KB

How do you rate me?

Thank you for rating your experience!