WordPress For Geeks #2: Detecting Spam Injection Links In A WordPress Installation

Welcome to the second week of WordPress for Geeks and a topic that all geeks absolutely need to know, how to tell if your WordPress site has been hacked. Back in the 90’s and early 2000’s hacking a site meant completely changing the landing page often replacing it with a scull and crossbones. Now hackers are often much more interested in your link juice than the victory of letting you know that your site has been compromised. In fact, their hope is that you never notice so you can keep giving them valuable link juice for nothing.

One of the most common attacks on a WordPress installation is spam link injection. This is often done once a hacker gains access to your site due to an insecure plugin or out of date WordPress installation. Once inside they add links back to their site, but these links often hard to spot so you might not find out about the injection until weeks, months or even years after it happens, unless you’re a geek. Since this is WordPress for geeks that’s exactly what we’re going to teach you how to do.

The first thing you want to do as a good WordPress Geek is constantly know when any of your important files change. To do this you’ll want to install WordPress File Monitor. It’s a free plugin that I’ve used for a long time and if someone makes any changes to your WordPress files, you’ll know right-away.

So how can you tell if someone has injected spam links into your WordPress installation if the links don’t show up directly in WordPress? Put up your geek antennas, we’re moving onto level two. You will need to use the WordPress file editor and search through your WordPress theme files looking for something with the “eval” command which is used to run an executable. It is this executable that is run through one of your PHP files that injects the spam links, but it’s completed encoded so what you see will look like a bunch of gabaly goop. Technically what is happening here is external Javascript code is being decoded with a base 64 decode.

Below is an example of what you’ll most likely see if your site has been compromised:

Wordpress Hacked

If you see this, don’t panic. Luckily you’re not the first person to be hit by this kind of attack so plenty of work has been done to remove the malicious code and get your site back to normal. The easiest way to solve the problem is to backup your database and then install a fresh copy of WordPress. Then load your new database into the new install of WordPress that is now free of the malicious code. You can read a more detailed description of how to rid your installation of spam injection links in one of my personal favorite articles, How To Completely Clean Your Hacked WordPress Installation.

Last but not least, in some cases hackers can get into your WordPress database which means copying it over won’t do a ton of good. In this case I’d look for an expert who knows MySQL and can easily look for errors in your database and get things back to tip top shape. So don’t wait until your site is magically de-listed from Google, start looking right away and make sure your blog has not been compromised. If it has remember, don’t panic, just solve the problem! You are now a bit geekier than you were last week, feel any different?


{ 6 comments… add one }

  • M August 8, 2012, 8:41 pm

    interesting, thanks for the info. I got hit with the timthumb exploit thing a few months back- wish I knew about this. But I also noticed the plugin you mention hasn’t been updated since 2010. Think that’s another security problem in itself ? (I’m pretty conservative on plugins b/c I know they too can be hacked)

  • JTPratt Media August 15, 2012, 11:35 am

    These types of plugins are great sometimes, but you can get a lot of false positive emails. Better WP Security has this feature built in, and you can secure and harden your site a couple dozen other ways as well.

  • zap August 17, 2012, 5:03 am

    You are recommending a plugin that:
    “This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”

    • Morgan August 17, 2012, 11:43 am

      @Zap, yikes! I had no idea, I’ve been using this plugin for a long time now so haven’t gone back to this page in a while! Sounds like I’ll have to find another option to recommend if these guys aren’t putting their focus on it any more.

      Thanks for pointing this out!

  • JTPratt Media August 17, 2012, 12:48 pm

    Better WP Security has this feature built in – in addition to more than 2 dozen+ other security and hardening features

  • Maria Elena Gomez December 27, 2012, 3:26 am

    Es un articulo interesante y pues me gustaria saber si puedo referenciarlo desde mi pequeño blog.



Leave a Comment