{"id":406,"date":"2009-02-22T06:41:55","date_gmt":"2009-02-22T06:41:55","guid":{"rendered":"http:\/\/www.colinmcnulty.com\/blog\/?p=406"},"modified":"2009-02-22T06:41:55","modified_gmt":"2009-02-22T06:41:55","slug":"my-wordpress-blog-was-hacked-again","status":"publish","type":"post","link":"https:\/\/www.colinmcnulty.com\/blog\/2009\/02\/22\/my-wordpress-blog-was-hacked-again\/","title":{"rendered":"My WordPress Blog was Hacked… again!"},"content":{"rendered":"

I periodically check my blog stats with Google Analytics, something I did the other night. Take a look at the traffic graph (click the image to see a bigger version):<\/p>\n

\"ColinMcNulty.com<\/a><\/p>\n

As you can see, something happened around the 5th Feb that knocked about 75% of the normal traffic off the site<\/strong>! Obviously I was bothered about this and so decided to investigate. The question is, where to start? First I started by checking why the traffic dropped. Searching Google for terms I know I normally rank for proved it, I was no way near the top for many of the search terms I normal am for.<\/p>\n

The first thing to do was to check Google Webmaster Tools<\/strong>, which is a great resource for managing your site and for getting notified of any issues that Google finds with your site. Initially it identified a missing page, which has 4 links on my site pointing to it. I was aware of this (will fix it one day) which was caused a couple of years ago when I renamed a category. So nope, that wasn\u2019t it. What else?<\/p>\n

Webmaster Tools didn\u2019t throw up any specific warnings so I had to delve a bit deeper. The Crawl Statistics page was the first page that started to give a hint as to what was going on<\/strong>, take a look:<\/p>\n

\"Google<\/a><\/p>\n

Compare the pages downloaded per day to the bandwidth per day graphs. You can see that the number of pages that the Googlebot is crawling has stayed pretty much the same (i.e. each time Google visits my blog) , but the amount of bandwidth google downloaded per day more than doubles<\/strong> around the 5th Feb. Coincidence? I think not!<\/p>\n

Let\u2019s think about this, if the pages downloaded is the same number but the bandwidth has increased, then the physical size of each page must have increased. About doubled in fact. I was starting to get a d\u00e9j\u00e0 vu feeling<\/strong> here, somewhat similar to when my wordpress blog was hacked last year<\/a>.<\/p>\n

So off to another Webmaster Tools page, the one that shows what Google sees on your site. There it lists the external links to your site, but also the keywords that Google has identified. Here\u2019s what Google thinks my site is about<\/strong>, in descending order of importance:<\/p>\n

\n
\n
\"Colin<\/a><\/dt>\n
Colin McNulty Blog Keywords<\/dd>\n<\/dl>\n<\/div>\n

WTF!!! You can see Crossfit down in 18th place and my blog is certainly nothing to do with ringtones. There we go, proof my website was hacked<\/strong>. Now to check: off to Google to check the cache that Google keeps of my site. However there was nothing obvious on the normal cache, until I looked at the Text Only Version, which is a really useful tool for assessing what Google really sees on your site. Aha, result. Take a look what I find<\/strong> at the very bottom of my home page (in fact every page on the site):<\/p>\n

\n
\n
<\/a><\/dt>\n
WordPress Hacked with Hidden Links<\/dd>\n<\/dl>\n<\/div>\n

Damn it, hacked again. The exact same problem as last time, about 500 hidden links<\/strong> inserted at the bottom of the page. The last time this happened, I had not updated my WordPress version for some time, mostly due to laziness and fear of the upgrade breaking something.<\/p>\n

This time however, I was only just behind the latest version<\/strong>. I had the latest 2.6.x version (I forget what the x was, 2.6.5 I think, but it was the latest). However WordPress v2.7 was out and I hadn\u2019t upgraded to it. Mostly because it was a major re-write of the WordPress admin user interface and I was waiting for a point release (i.e. 2.7.1) before upgrading to make sure any problems with the latest release had been ironed out.<\/p>\n

That was obviously going to have to change, so straight away I backed up the site and upgraded to WordPress 2.7.1<\/strong> . A quick check of the source code showed that the errant urls had gone as a result of the upgrade, which was nice. Just to be sure though I wanted to check the Google cache. To do this, I\u2019d have to wait for Google to re-cache the site though and I didn\u2019t want to wait that long, or risk the hack having been done some other way I hadn\u2019t spotted.<\/p>\n

So using some of the cool add-ins I\u2019ve got with FireFox<\/strong> (you do use FireFox instead of Internet Explorer don\u2019t you??) to disable java script and turn off Cascading Style Sheets (CSS) so as to see a virtually text only version of the page, and it looks like this:<\/p>\n

\n
\n
\"ColinMcNulty.com<\/a><\/dt>\n
Hacked Blog After WordPress Upgrade to v2.7<\/dd>\n<\/dl>\n<\/div>\n

Magic, dodgy urls gone. Lessons then: 1) Keep up to date with WordPress upgrade versions. 2) Think of some way to monitor and identify if this happens again.<\/p>\n

Also I want my rankings back as soon as possible. It\u2019s likely that when Google re-caches my site, it should sort itself out, but in order to make sure there were no lingering spam penalties, I have filed a Google Reinclusion Request<\/strong> (another feature of Google Webmaster Tools). I\u2019ll be checking to see how my rankings are over the next few weeks and will report back if things don\u2019t go according to plan.<\/p>\n","protected":false},"excerpt":{"rendered":"

I periodically check my blog stats with Google Analytics, something I did the other night. Take a look at the traffic graph (click the image to see a bigger version): As you can see, something happened around the 5th Feb that knocked about 75% of the normal traffic off the site! Obviously I was bothered […]<\/p>\n","protected":false},"author":161,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[11,12,10],"class_list":{"0":"post-406","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-uncategorized","7":"tag-blog","8":"tag-hack","9":"tag-wordpress"},"_links":{"self":[{"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/posts\/406","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/users\/161"}],"replies":[{"embeddable":true,"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/comments?post=406"}],"version-history":[{"count":0,"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/posts\/406\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/media?parent=406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/categories?post=406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.colinmcnulty.com\/blog\/wp-json\/wp\/v2\/tags?post=406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}