My WordPress Blog was Hacked… again!

I periodically check my blog stats with Google Analytics, something I did the other night. Take a look at the traffic graph (click the image to see a bigger version):

ColinMcNulty.com Monthly Traffic Graph

As you can see, something happened around the 5th Feb that knocked about 75% of the normal traffic off the site! Obviously I was bothered about this and so decided to investigate. The question is, where to start? First I started by checking why the traffic dropped. Searching Google for terms I know I normally rank for proved it, I was no way near the top for many of the search terms I normal am for.

The first thing to do was to check Google Webmaster Tools, which is a great resource for managing your site and for getting notified of any issues that Google finds with your site. Initially it identified a missing page, which has 4 links on my site pointing to it. I was aware of this (will fix it one day) which was caused a couple of years ago when I renamed a category. So nope, that wasn’t it. What else?

Webmaster Tools didn’t throw up any specific warnings so I had to delve a bit deeper. The Crawl Statistics page was the first page that started to give a hint as to what was going on, take a look:

Google Webmaster Tools Crawl Stats

Compare the pages downloaded per day to the bandwidth per day graphs. You can see that the number of pages that the Googlebot is crawling has stayed pretty much the same (i.e. each time Google visits my blog) , but the amount of bandwidth google downloaded per day more than doubles around the 5th Feb. Coincidence? I think not!

Let’s think about this, if the pages downloaded is the same number but the bandwidth has increased, then the physical size of each page must have increased. About doubled in fact. I was starting to get a déjà vu feeling here, somewhat similar to when my wordpress blog was hacked last year.

So off to another Webmaster Tools page, the one that shows what Google sees on your site. There it lists the external links to your site, but also the keywords that Google has identified. Here’s what Google thinks my site is about, in descending order of importance:

Colin McNulty Blog Keywords
Colin McNulty Blog Keywords

WTF!!! You can see Crossfit down in 18th place and my blog is certainly nothing to do with ringtones. There we go, proof my website was hacked. Now to check: off to Google to check the cache that Google keeps of my site. However there was nothing obvious on the normal cache, until I looked at the Text Only Version, which is a really useful tool for assessing what Google really sees on your site. Aha, result. Take a look what I find at the very bottom of my home page (in fact every page on the site):

Hacked WordPress with Hidden Links
WordPress Hacked with Hidden Links

Damn it, hacked again. The exact same problem as last time, about 500 hidden links inserted at the bottom of the page. The last time this happened, I had not updated my WordPress version for some time, mostly due to laziness and fear of the upgrade breaking something.

This time however, I was only just behind the latest version. I had the latest 2.6.x version (I forget what the x was, 2.6.5 I think, but it was the latest). However WordPress v2.7 was out and I hadn’t upgraded to it. Mostly because it was a major re-write of the WordPress admin user interface and I was waiting for a point release (i.e. 2.7.1) before upgrading to make sure any problems with the latest release had been ironed out.

That was obviously going to have to change, so straight away I backed up the site and upgraded to WordPress 2.7.1 . A quick check of the source code showed that the errant urls had gone as a result of the upgrade, which was nice. Just to be sure though I wanted to check the Google cache. To do this, I’d have to wait for Google to re-cache the site though and I didn’t want to wait that long, or risk the hack having been done some other way I hadn’t spotted.

So using some of the cool add-ins I’ve got with FireFox (you do use FireFox instead of Internet Explorer don’t you??) to disable java script and turn off Cascading Style Sheets (CSS) so as to see a virtually text only version of the page, and it looks like this:

ColinMcNulty.com After WordPress Upgrade to v2.7
Hacked Blog After WordPress Upgrade to v2.7

Magic, dodgy urls gone. Lessons then: 1) Keep up to date with WordPress upgrade versions. 2) Think of some way to monitor and identify if this happens again.

Also I want my rankings back as soon as possible. It’s likely that when Google re-caches my site, it should sort itself out, but in order to make sure there were no lingering spam penalties, I have filed a Google Reinclusion Request (another feature of Google Webmaster Tools). I’ll be checking to see how my rankings are over the next few weeks and will report back if things don’t go according to plan.

{ 12 comments… add one }
  • Steve J 22 February 2009, 10:06 am

    So, where are the ringtones google promised then? 🙂

    I used to get a lot of spam on my old blog, lots of comments offering viagra or some such nonsense.

  • Colin McNulty 22 February 2009, 10:23 am

    Oh the irony, Wordpress marked your comment as potential spam and I had to approve it first. Lol

  • welshtroll 4 March 2009, 7:03 pm

    The new backend of Wordpress notifies you when there is a new version on the admin page and now also does automatic update without the need to ftp the files 🙂

    Hopefully will allow you to keep up with the versions

  • Colin McNulty 4 March 2009, 7:24 pm

    Hi WT. I already had an auto updating plugin. I just need to be more proactive at keeping uptodate.

  • Josh 14 April 2009, 4:37 pm

    My comment feed hasn’t worked in forever. A few times I went in to track down the problem but never found it. After this post, I think I will look at my site more closely.

  • bob 14 April 2009, 4:43 pm

    Just to be clear on the current issue of recent hacks, many non-WordPress blogs and websites are impacted by the current Google/Search Engine Redirect hacks, so this might not be a WordPress specific issue. Upgrading, especially for security issues, has been around as long as software has been around, so blasting away at WordPress isn’t helping anyone, especially as many of the recent attacks are not WordPress-specific.

  • Ostwald 14 April 2009, 4:45 pm

    The consequences of such attacks (for small bloggers) could be severe, not only as a temporary disruptions, but also as a long term SEO penalties. Especially with Google which seems to keep record of your bad content for a long time.

  • Jonathan Dear 20 April 2009, 3:28 am

    I had the exact same thing happen to me recently… Now I don’t come up in any google searches – all while running 2.7.1 which is strange. changing themes still yielded the same crap in the footer (I used websniffer.net) to simulate how googlebot views.

    Tricky sucker – doesn’t show up at all, except to googlebot, so a simple view source on your page of your browser doesnt show the dirty links.

    I found the offending code in the footer.php file. After the RSS links code there was this line of code:

    <?php
    // WordPress footer
    wp_footer();

    where this wp_footer(); function is I dont know, but commenting it out – putting //wp_footer(); in instead removed the links.

    There was also a wordpress user in the database so I deleted him, and renamed my admin user to something other than admin.

    I hope this info helps someone else – not much info on it on the net. I hope google adds me again soon!

  • Colin McNulty 20 April 2009, 8:23 pm

    Hi Jonathan, it looks like you’ve removed the whole footer code. It would be better to find the file that’s got the offending code in. Download all your website WordPress files and do a search. Or an easy trick is to sort by file size, the largest file is likely to be the culprit.

    And yes your rankings do come back. It wouldn’t hurt to file a re-inclusion request with google, which you can do through your Google WebMaster Tools account. FYI it took my site 3 weeks to get its rankings back.

  • Jonathan Dear 20 April 2009, 11:23 pm

    Hi Colin,

    Funny – when I take out that line of code, It still displays the footer of the blog – so it must be an extra function call. The wordpress default theme also had it, but not the original theme. So they had gone to the trouble of adding that code to the other themes as well.

    Your right though, I need to find where the code is that the function is called. I’ll load up the files and do a search for it.

    thanks for the update on google – our traffic has suffered bigtime as a result.

  • Frank 24 April 2009, 12:23 pm

    Changing the default “admin” user is a must do for any new Wordpress installation. I also have installed a WP plugin that protects you against brute force attacks.

    It is called Login Lockdown:

    http://wordpress.org/extend/plugins/login-lockdown/

  • Colin McNulty 26 April 2009, 8:36 pm

    Thanks for the tips Frank. I’ll take a look at that plugin, and changing the admin user is always a good idea too. My password is fairly “strong” in that it’s not a real word etc, so I assumed the security hole was probably a known vulnerability in an old version of WordPress.

    EDIT: I’ve just looked at editing the admin user, but I get this: “Your username cannot be changed.” next to the username.

Leave a Comment