It’s only natural that a popular software attracts unwanted attention from hackers, spammers, baddies and other Russian types (only kidding Russia and people thereof, please don’t kill me 😉
It’s funny how some in the community call adding functionality without a plugin a hack. I don’t really like the term used in this way, hacks to me mean only one thing, trouble.
I thought I would run through a recent hack I encountered and how I got rid of it.
The sape.ru Hack
I thought I’d start with this one as it affected a customers website fairly recently. No there seems to be a few variations and it looks to have been on the go for some time (maybe 5 years). This is annoying as it means WordPress hasn’t evolved enough to stop it.
The main modus operandi of this particular hack is to inject dodgy links into the footer of the website. Some have reported these being of the illegal nature but the ones I discovered where to spammy websites selling Ugg boots or watches etc.
In this case it was using a function called wp_foot() to add these spam links. However just deleting this and updating everything did not resolve the problem, it came back. This meant there was a malicious file kicking about somewhere! I didn’t have the ability to search via SSH and had to act fast. Some people have reported that the problem file was called footer_top.php, this was not present in this particular theme but I had read that inactive themes could be infected some time ago so I deleted all the default WordPress themes and any others not being used. I did the same for the plugins, I also spotted a search plugin which was in use but I really did not recognise. I checked the functionality and did not see any benefits and thought it was questionable so I deleted that too. Problem solved!
You might think this isn’t a particularly evil hack, after all it’s just links right? Well yeh but if the big Goog finds them on your website you could be slammed down the rankings or taken off entirely. Although some would definitely dispute this, especially if they wear black hats.
The lessons here are of course keep everything updated. Delete any unused themes and plugins. Don’t install crappy plugins that don’t really do much and don’t forget to backup your WordPress website, that way if you can’t find the offending file you should have a clean backup to revert to.