When your WordPress blog suddenly starts displaying ads for various pharmaceuticals, chances are good that the site’s been hacked. A quick check using the “View Source” option on your favorite browser will probably reveal that a large list of links to dubious sites has been inserted somewhere into the HTML generated by WordPress, probably wrapped in a <div> tag that shifts it off the displayable area of the screen. This lets Google and other search engines see the links but ensures that the viewers of the site don’t — this kind of hacking is done specifically to get some link juice flowing to those dubious sites.

If you have a pre-hacked backup of your system, the easiest fix is to revert to that backup. But that’s not always an option. At this point you’ll need to start looking at the PHP files that run your WordPress blog, looking for hacked files. (If you’re not techie, this is the time to engage the help of one of your techie friends.)

Check the Theme

Start by looking at the files included with your current WordPress theme. Hacking the footer.php file is a favorite option, for example, or the sidebar.php. You can quickly look through these files directly from the WordPress dashboard using the Editor option under Appearance.

Not There? Check the Plugins

If you can’t find anything in the theme, it’s probably a problem with a plugin. WordPress has a nice extension mechanism that lets plugins add content directly to the generated HTML. Chances are good that one of your plugins has been hacked and is injecting its links via one of these “hooks”.

Grab a copy of the wp-includes/plugin.php file from your site and stash it somewhere safe as a backup. Then make a second copy. Now open that copy with your favorite text editor and look for a PHP function called add_action that looks like this:

function add_action($tag, $function_to_add, $priority = 10, $accepted_args = 1) {
	return add_filter($tag, $function_to_add, $priority, $accepted_args);
}

Insert three lines so it looks like this:

function add_action($tag, $function_to_add, $priority = 10, $accepted_args = 1) {
      echo "\n\n";
      return add_filter($tag, $function_to_add, $priority, $accepted_args);
}

Save the changes and upload the modified file to your blog, overwriting the existing plugin.php. Now reload one of the pages in your browser and view the source to the page. You’ll see a bunch of HTML comments inserted into the generated HTML, like so:

<!-- add_action
Adding akismet_cron_recheck
#0  add_action(akismet_schedule_cron_recheck, akismet_cron_recheck) called at [/home/memwg/public_html/wp-content/plugins/akismet/akismet.php:495]
#1  include_once(/home/memwg/public_html/wp-content/plugins/akismet/akismet.php) called at [/home/memwg/public_html/wp-settings.php:190]
#2  require_once(/home/memwg/public_html/wp-settings.php) called at [/home/memwg/public_html/wp-config.php:77]
#3  require_once(/home/memwg/public_html/wp-config.php) called at [/home/memwg/public_html/wp-load.php:30]
#4  require_once(/home/memwg/public_html/wp-load.php) called at [/home/memwg/public_html/wp-blog-header.php:12]
#5  require(/home/memwg/public_html/wp-blog-header.php) called at [/home/memwg/public_html/index.php:17]
-->

This shows you exactly who is adding a specific hook into the system. The example above shows the Akismet plugin adding a hook. It’s probably OK. There are a lot of hooks that get added, so it may take a while to find the offending plugin. You’re looking for something suspicious like this:

<!-- add_action
Adding echo_links
#0  add_action(wp_footer, echo_links) called at [/home/memwg/public_html/wp-content/plugins/duplicate-content-cure/duplicate-content-cure.php(79) : runtime-created function:402]
#1  __lambda_func() called at [/home/memwg/public_html/wp-content/plugins/duplicate-content-cure/duplicate-content-cure.php:80]
#2  include_once(/home/memwg/public_html/wp-content/plugins/duplicate-content-cure/duplicate-content-cure.php) called at [/home/memwg/public_html/wp-settings.php:190]
#3  require_once(/home/memwg/public_html/wp-settings.php) called at [/home/memwg/public_html/wp-config.php:77]
#4  require_once(/home/memwg/public_html/wp-config.php) called at [/home/memwg/public_html/wp-load.php:30]
#5  require_once(/home/memwg/public_html/wp-load.php) called at [/home/memwg/public_html/wp-blog-header.php:12]
#6  require(/home/memwg/public_html/wp-blog-header.php) called at [/home/memwg/public_html/index.php:17]
-->

What’s suspicious about this? First of all, the name of the hook is “echo_links”. Second, it’s coming from the Duplicate Content Cure plugin. Third, it’s a “runtime-created function”, which is definitely unusual. So it’s worth a look.

Luckily, the backtrace dump above — the list of all files and functions that were called by PHP in order to add the hook — points me to the file duplicate-content-cure.php on line 80.

To quickly see if this is the culprit, restore the plugin.php to its original state (upload the original you had stashed away somewhere safe) and then disable the plugin in question from the WordPress dashboard and see if the offending content disappears from your site.

Secure Your Site

Once you’ve found the bad plugin, delete it from your site. You may want to install a replacement version of the plugin or find an alternative plugin with similar functionality. Only install plugins (and themes) from sites you trust.

After cleaning your site, be sure to harden your WordPress installation in order to prevent this kind of hacking from occurring in the future.

• Previous Entry: Changes Coming…
• Next Entry: Google’s Free SEO Guide