I recently published an article called “How to Check and Remove Malware from an Infected Website” that was intended to help self hosted WordPress blogs with this ongoing issue. Hackers are getting clever when it comes to advertising, but not in an ethical way. They’re injecting spam links in WordPress blogs in an attempt to get these links indexed in Google and other search engines.

The bad news, your blog could be penalized or excluded from Google’s index if you do not address this issue immediately.

How are hackers getting access to my blog?

In most cases, a hacker is using a brute force password discovery program to gain access to your FTP (File Transfer Protocol) or WordPress admin page. Once they gain access, they will add code in the WordPress core installation files, usually in the index.php file. The core installation files are not the theme files, but the actual installation files.

How to check for spam links in WordPress

If you’re using Firefox, go to View/Page Source. Check to see if there are any random links going to various sites that are usually related to drugs, gambling, porn, etc. These links are usually at the open <body> and/or closed </body> tags of the main index page.

How to Remove Spam Links

If you have a self hosted WordPress blog, upload the core installation files which will over-write the existing files that currently reside on your server. After the new files have been uploaded, check your source code on your index page and see if the malicious links are gone. If you’re using Firefox, go to View/Page Source.

You should also do the following:

  • Change your WordPress admin password (Use no less than 8 characters with at least one number, one uppercase character and a special character)
  • Change your FTP password
  • Check your .htaccess file/s for any malicious content and set the file permission (chmod) to read only
  • Protect the ‘wp-config.php’ file and ‘wp-admin/install.php’ file by adding this to your .htaccess file:
  • # PROTECT install.php
    Order Allow,Deny
    Deny from all
    Satisfy all
    </files>

    # protect wpconfig.php
    <files wp-config.php>
    Order deny,allow
    deny from all
    </files>

  • Download and install the Login LockDown plug-in

The Login LockDown is a WordPress Enhanced Login Security Plug-in. It records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Have a question? Post a comment.