ThemeLab's Blog

Stay up to date with our newest WordPress themes, WordPress plugins, WordPress tutorials, and other announcements.

Dirty WordPress Hack Going Around, Cloaked to Search Engines

Last Updated on by

Recently there’s been a WordPress hack going around which has been using cloaking to target Google IP addresses. That means, the spammers/hackers are somehow getting into your WordPress blog, and generating a bunch of spam content and links that only Google can see.

This particular hack uses some particularly dirty methods which include inserting spam keywords into your own content, which is probably to control your keyword density.

Also they don’t seem to place more than a couple spam links on the page, which is probably because they don’t want you to get banned (so you can still pass link juice to them). Kind of like a parasite not trying to kill it’s host.

I’ve made a quick screencast to go over what the hack does and how to see if it’s happened to your site.

What We Know So Far

  • Altered content is only visible to search engines like Google and Yahoo, regular visitors won’t notice.
  • There are probably “rogue” files on somewhere on your WordPress install that need to be deleted.
  • Existing WordPress files may be altered with encrypted code added.
  • There might be duped admin accounts on your WordPress install as well that need to be removed.
  • Update: There is a discussion going on about this hack at the WP Tavern forums.

If you have any other information, please leave a comment below. I’ll update this post with new information periodically.

  • http://www.jrfarr.com JR Farr

    Dude, thanks for posting this. How’d you come across this anyway?

    Good job and I’m sure plenty of people will appreciate this. Especially since you told them ways to possibly remove it.

    • Leland

      I first heard of it when it happened to Chris Pearson’s blog, then I heard the WPQuestions blog had the same hack via @utkarshkukreti on Twitter.

  • http://www.redmetalbox.com Michael Savage

    So the only way to realize this has happened is to wait till Google cache’s it?

    • Leland

      Unless you can spot the suspicious files/users beforehand, unfortunately I’m not sure how to exactly to check if you’re hacked in this way before Google/Yahoo caches it.

  • http://www.FullSpeedSEO.com Joshua Ziering – A Phoenix SEO

    Until more information is gathered, I imagine you could check for this by using the Change Useragent Firefox plugin https://addons.mozilla.org/en-US/firefox/addon/59 to set your user agent to a googlebot useragent like: Googlebot/1.0 (googlebot@googlebot.com http://googlebot.com/)

    Then go visit your sites to see if you have mysterious new links.

    Josh

    • Leland

      Josh, I actually tried checking it with the user agent, but I think it might have to be from a Google IP address as well to see the altered content.

  • http://jaypeeonline.net Jaypee

    Thanks for the info Leland! I wasn’t aware of this until I read your article. I’m sure many WordPress users will find this information useful.

    Btw, I checked my blog using the procedure specified in the screencast and fortunately my blog doesn’t display any spam links/keywords.

    I’m adding this article to my “late” Weekend Roundup. Again, thanks for sharing! :)

    • Leland

      No problem Jaypee, glad you didn’t find any hacky stuff in your search results.

      Thanks for including this in your weekend roundup!

    • http://jaypeeonline.net Jaypee

      Yeah, I was glad I didn’t find any spammy stuff on my search results. I’m gonna keep checking because as you mentioned, some of it may only appear after Google caches/indexes it.

      No problem. Its very useful info for WP users and I’m just trying to spread the word and help other users know about this issue.

  • http://www.waynejohn.com Wayne John

    Good info, thanks for posting it. One of the existing people that were hacked should provide a copy of their code to people that could determine if there is a way to detect it and remove it, hopefully before Google indexes the content.

    Good stuff!

    • Leland

      I think that would be useful, especially if they spot a malicious file, if they share the code it could shed some light as to how exactly the hack works.

    • http://jaypeeonline.net Jaypee

      That’s right. I hope someone who’s been affected by this hack would share the details and the files that were used so that the experts can take a look at it and determine what measures can be done to prevent future problems.

  • http://www.redmetalbox.com Michael Savage

    Keep us updated if you hear more on this Leland. Since my business site is powered by wordpress makes me want to check often.

  • http://www.chrispian.com chrispian

    Have you been able to tell if it’s happening to the current version of WP or just older versions? Also, have you looked to see if it’s a plugin doing it? I recently found a plugin in the repository doing much the same (details here: http://www.chrispian.com/169/wordpress-plugin-alert-about-the-author-box ).

    I’ve seen this hack before, but it was in older versions of WP and they mainly tweaked your .htaccess file to redirect all SE traffic to one of their spammy sites, along with what you described in the post. Now we don’t have to worry about just hackers, but spammers who hack too.

    • Leland

      I haven’t heard of that plugin before, but I’d recommend reporting it to the WordPress.org people because I’m sure that’s not allowed.

      This hack that I’ve described seems to be much more elaborate than just a single spam link inserted through a plugin.

      I’m not exactly sure what’s causing it, could be any number of things.

  • http://ifranky.com Franky

    You don’t have to wait for Google’s cache. You can use the Fetch as Googlebot tool.