WordPress Pharma Hack and Updates

Hacks Honey Lemon Flavour

WordPress is a fantastic platform, with an excellent plugin mechanism and the most usable admin interface I have seen. I know and have used several others including Joomla, Zope, Drupal, and old stuff you may not have heard of. The problem with being popular though is that you are likely to be a victim of more attacks. There’s a strange pharmaceutical spam attack out there, and it got me too. I first found out about it when Google emailed my with a possible hacking notice. Links like /valium-high were appearing in the Google results for this site, yet when I tried the links they were giving me a 404 (page does not exist) result. The sneaky thing is that the hack is cloaked, the link /valium-high did in fact work but only if accessed via a search engine spider (or search bot / Googlebot). So Google sees a strange page selling valium, whereas regular visitors see a boring “page not found”. Spammers use these techniques to help their own strange pages rank in Google.

Using “Fetch as Googlebot” in Google webmaster tools allowed me to confirm the cloaking issue. To clean the hack, and simulate a search crawler without resorting to publishing tests live to my domain, I used my own server and tested using a search engine crawler simulator on a custom subdomain.

After a lot of searching, including various scripts like lookforbadguys and advice on checking the database I still couldn’t find the bad code. I gave up forensics and just reinstalled a clean version of WordPress (often the best recourse if you can’t find the hack quickly). It then took me a while to get a few other files I needed (my theme, images, custom scripts) from the old install and make sure they were working correctly.

Since I was making updates, I finally brought this WordPress site up to date with a few changes to CSS to take full advantage of screen real estate. This humble template was less than 800 pixels wide. I am now using a 960 pixel grid which is a de facto standard on the web given larger screen resolutions. I hope you find it a little easier to read.

6 Responses to “WordPress Pharma Hack and Updates”

  1. Ronan Says:

    La largeur de 960px risque de ne plus être un standard pour très longtemps, notamment avec le développement des tablettes & smartphones…

    Media queries & fluid design, that’s the way to go imo :-)

  2. fruey Says:

    Hello Ronan

    I had a mobile theme for the site which I’ve switched off right now. Responsive design is the way forward – certainly for blogs – but that’s another task for another day. Just observe how long it took me to get to 960px :).

    -Fruey

  3. Jean-Pierre Welch Says:

    Thanks Simon. The lookforbadguys script helped me a lot for a site I’m supporting. There were a lot of false positives, but luckily, I was able to pickup where the bug was hiding.

  4. fruey Says:

    Hello Jean-Pierre

    I wrote the article to summarise some of the stuff I did while investigating the hack, great if it has helped someone else!

    -Simon

  5. Bulk SMS Says:

    I find easy to read, but if hacked, what steps are we to take? Thanks.

  6. card deal jakarta Says:

    Excellent article. I’m experiencing some of these issues as well..

Leave a Reply