I recently published an article called “How to Check and Remove Malware from an Infected Website” that was intended to help self hosted WordPress blogs with this ongoing issue. Hackers are getting clever when it comes to advertising, but not in an ethical way. They’re injecting spam links in WordPress blogs in an attempt to get these links indexed in Google and other search engines.
The bad news, your blog could be penalized or excluded from Google’s index if you do not address this issue immediately.
How are hackers getting access to my blog?
In most cases, a hacker is using a brute force password discovery program to gain access to your FTP (File Transfer Protocol) or WordPress admin page. Once they gain access, they will add code in the WordPress core installation files, usually in the index.php file. The core installation files are not the theme files, but the actual installation files.
How to check for spam links in WordPress
If you’re using Firefox, go to View/Page Source. Check to see if there are any random links going to various sites that are usually related to drugs, gambling, porn, etc. These links are usually at the open <body> and/or closed </body> tags of the main index page.
How to Remove Spam Links
If you have a self hosted WordPress blog, upload the core installation files which will over-write the existing files that currently reside on your server. After the new files have been uploaded, check your source code on your index page and see if the malicious links are gone. If you’re using Firefox, go to View/Page Source.
You should also do the following:
- Change your WordPress admin password (Use no less than 8 characters with at least one number, one uppercase character and a special character)
- Change your FTP password
- Check your .htaccess file/s for any malicious content and set the file permission (chmod) to read only
- Protect the ‘wp-config.php’ file and ‘wp-admin/install.php’ file by adding this to your .htaccess file:
- Download and install the Login LockDown plug-in
# PROTECT install.php
Order Allow,Deny
Deny from all
Satisfy all
</files>
# protect wpconfig.php
<files wp-config.php>
Order deny,allow
deny from all
</files>
The Login LockDown is a WordPress Enhanced Login Security Plug-in. It records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Have a question? Post a comment.
actually, that’s a good question .. what should the Chmod permissions be on .htaccess?
Before, you had to set it to chmod 777 and then do the permalink update and WP changed permissions. Does it still do that? I know i have added text/commands/ etc to my .htaccess files at times, then go in and do a permalink upgrade … Does that set it right again?
Hart,
Set chmod to 644 for your .htaccess file.
If hackers will use some cloacking methods, can we see those links in page source?
When i had this kind of problems i used a firefox plugin: User Agent Switcher. With this we can see a webpage as googlebot
User Agent is a great plugin. You should also try Firebug as well.
Thx for tip. I’ll give it a try :)
Thanks for the post. It just teaches us that we shouldn’t be complacent about our blogs. I like to ensure that my blogs are backed-up regularly so that if anything happens at least I can get the site back up and running again.
Paula,
You are right! Blog owners with self hosted WordPress blogs need to keep a watchful eye on there files.