Dear Webmaster, Your WordPress Blog has been Hacked

We’ve all seen hacked WordPress blogs. Right? Most SEO’s and techies in our beloved industy certainly have, but WordPress blog hacking is a relatively unknown subject to the less tech savvy blogger and, unbeknownst to them, their cherished weblogs are linking out to some pretty disgusting parts of the Internet…

About a year ago, I was looking at some rankings for the keyphrase “airline tickets”. Kicking around page 2 in Google.com, I saw a result that instantly stood out as anomalous. Looking at the backlinks, it was pretty clear that an entire legion of WordPress blogs had been hacked to link out to a spam site. One of those WordPress blogs belonged to Rob Da Bank, a DJ who I (sort of) worship, so I contacted him:

Hi Rob

I think your bestival podcast site has been hacked. I’ve found a network of links hidden in the source code of your podcast website:

http://rdbpodcast.co.uk/2007/09/12/sunday-best-13-the-bestival-podcast-part-one/

If you go to this page and view with CSS switched off in firefox you’ll see what i mean. You’re linking to pages about Viagra!

I doubt this is you guys search engine spamming intentionally, it looks more like you’ve been a victim of the many wordpress vulnerabilities that are being used by black hat linkbuilders in the seo community.

I hope this is useful – I found it when i was investigating a set of strange search engine results (i’m an seo in London) – i really recomend cleaning this mess up and patching your wordpress as soon as you can.

If you need to ask any questions please give me a call and I’d be happy to try and help.

Richard

The response, was pretty cool! In fact, after sorting out the problem with his technical guys, Rob was kind enough to give me a free ticket to Bestival. (which I went to, and loved!)

Anyway, the same situation occured several months later with another hacked WordPress blog (that I stumbled across in much the same linky investigations – and no! it’s not me hacking these sites for free stuff!).

This time, Paul Drussel’s “The Drussel Chronicles” had suffered from the sudden aquisition of a few extra pages and outbound links. Here’s what I sent to him:

Hi There

While analysing some backlinks for some mysterious Google rankings I found links from pages on your site:

http://drussel.net/?get-item=89

This doesn’t look like a page you added – in fact, it looks like your wordpress installation has been compromised through not keeping it up to date.

You can get more info on the problem here:

http://googlewebmastercentral.blogspot.com/2009/02/best-practices-against-hacking.html

In the meantime, you might want check your homepage – the text at the top of the page is advertsing numerous pharmaceutical drugs! (install web developer toolbar and lift off your CSS stylesheet)

If you need assistance let me know, though you should find this article helpful:

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Best regards,

Peter got in touch with me and took down his site and promptly fixed the problem. Done. But what’s the point of this blog post?

If you come across a hacked WordPress installation, you might as well send a quick email to let them know. It’s just the nice thing to do!

If you do choose to send that email, I’ve been working on V3 of my “Dear Webmaster, your WP security sucks..” email. Here it is:

Hi there,

While analysing backlinks for some mysterious Google rankings (I’m an SEO), I found some interesting links originated from your WordPress blog. It looks like your site has been hacked as it seems pretty unlikely you’d normally link out to websites that sell Viagra.

Don’t worry this happens a lot of the time and there are some simple steps you can take to fix the problem.

1) Read this post from Google for a background on typical vulnerabilities and best practices against hacking

2) Follow the instructions here or here to clean up your installation

3) Make sure you’re running the latest version of wordpress and install WP Security Scan to keep a good eye on any potential vulnerabilities in your current setup. Most of all, keeping your WordPress installation upto date will protect you from most threats.

4) Set up a Google alert as mentioned in this blog post, so if your site is compromised, you’ll be notified

5) Register your site with Google Webmaster Tools, who can let you know if your site has been hacked

It feels really unfair when a good quality site gets hacked, so if it looks like the site you’re visiting has been compromised, send the email to let them know. You never know, it *may earn you a link…

*May associate your website with Viagra.

Comments

  1. Jonnainty

    Great site this seogadget.co.uk and I am really pleased to see you have what I am actually looking for here and this this post is exactly what I am interested in. I shall be pleased to become a regular visitor :)

  2. Dan Nedelko

    Hi Richard,

    Thanks for the reference to my post on cleaning up an injected WordPress. I’m putting together a HOW-TO guide to locking down and creating automated backups for a WP installation. Should be done in the next day or so.

    Great post by the way!