Not a good thing to see

A friend recently had a problem with his WordPress based website. I was searching for his website one day in Google, when I noticed an ominous warning was displayed beneath his site listing:

This site may be hacked.

A handy link was there to warn people what is may mean and that they should alert the website owner. Naturally I did.

He was horrified, understandably and his first reaction was why would someone hack my website? My answer was that they were paid to build links for websites wanting to get a better Google position. I’ve proven that this doesnt always work.

On Closer Inspection

Being a nice chap that I am I offered to help him out to see if we could fix the problem which was being nicely highlighted for him by Google.

At first his website seemed to be functioning fine, but a closer look at the html source of the page revealed a large number of hidden spam links for Viagra etc.

It was clear that the hackers had somehow exposed an exploit* in either the webhost, wordpress or a theme / plugin that was being used.

footer.php

With all the links appearing at the bottom of the webpage, it seemed reasonable to look to see if there had been any code added to the footer.php file for WordPress or the theme that was being used. The contents of the file looked ok (no nasty links had been added) and so my next guess was that they were using the wp_footer() function hook to load in the links.

Remove the wp_footer() bit

To see if this indeed was the case, I removed the small section of code in the footer.php THEME file

   <!--?php wp_footer(); ?-->

and loaded the modified footer.php file to the server via ftp.

A refresh of the page showed that the links were now gone!

The problem with removing this code was that a couple of plugins relied upon it and so some further digging is now required to find the source of the hack that was being called by wp_footer() and remove it.

I’ll report back with the results!

* Naturally it’s important to ensure that both your server and WordPress installation is kept up to date with patching to avoid exploits.