The WordPress SEO hack

How does it work?Screen Shot 10-23-14 at 06.36 AM

What happens is that a malicious script is uploaded to your web server and is included somewhere in a WordPress header file. When someone clicks on search results from a search engine, and you are directed to your website, the malicious script picks up the referrer was a search engine and 301 redirects the user to somewhere else of their choosing. The 301 redirect tells Google that the URL has changed and Google automatically changes the old URL to the new one on their index.

How can I test if I’m compromised?

You can run this query in Google site:example.com [keyword]. The keyword is optional, if your site has a lot of indexed pages, it might be difficult to scroll through all the results looking for suspicious URL’s. You can just run through the usual list of “viagra”, “penis enlargement”, etc. to test if Google indexed

How do I fix it?

Look for any suspicious files in your web server public root. I was lucky enough to immediately spot a file called “wp-cofnig.php”.

The contents of this file, looked like this:

Screen Shot 10-23-14 at 06.43 AM

What I can suggest is that you run this command on your web server:

$ grep -irl “eval(” /path/to/your/wordpress/install/

This will search through all the WordPress files for “eval(“. Chances are that you could get a couple of legitimate results, but you’ll be able to spot the ones that should not be there if you have some experience.

Once you removed the malicious script, and a user clicks on the fake URL in the search results, they should no longer be redirected away from your site, but will rather now land your site and your 404 error page should be displayed.

How do I remove those fake links?

There are a few ways you can do this:

  • David Stevens

    Good, concise post. Pharma Hacks exist for all CMS platforms and HTML. There are many variations even within those written for WordPress. Yours is a very common version. They are not all written by the same programmer or installed by the same criminal gang. In addition to the redirect or frame the hack will have a back door and a fake web page generator that creates spammy web pages that are often only seen by googlebots. If these spammy pages are left the googlebots will see them and keep listing the pages. They also have another purpose. They contain links to URLs on other hacked sites. Other hacked sites will also have URLs to the fake pages on your site. This helps elevate the page ranking of the URLs that redirect. Many webmasters miss removing these. When they are left in place the site still has black hat SEO value to the hackers even after the redirect is removed. Over time they will drag down the ranking of the site’s legitimate URLs.

  • I received this comment via e-mail from David Stevens :
    Good, concise post. Pharma Hacks exist for all CMS platforms and HTML.
    There are many variations even within those written for WordPress. Yours
    is a very common version. They are not all written by the same
    programmer or installed by the same criminal gang. In addition to the
    redirect or frame the hack will have a back door and a fake web page
    generator that creates spammy web pages that are often only seen by
    googlebots. If these spammy pages are left the googlebots will see them
    and keep listing the pages. They also have another purpose. They contain
    links to URLs on other hacked sites. Other hacked sites will also have
    URLs to the fake pages on your site. This helps elevate the page ranking
    of the URLs that redirect. Many webmasters miss removing these. When
    they are left in place the site still has black hat SEO value to the
    hackers even after the redirect is removed. Over time they will drag
    down the ranking of the site’s legitimate URLs.