WordPress Pharma Hack and Updates

Hacks Honey Lemon Flavour

WordPress is a fantastic platform, with an excellent plugin mechanism and the most usable admin interface I have seen. I know and have used several others including Joomla, Zope, Drupal, and old stuff you may not have heard of. The problem with being popular though is that you are likely to be a victim of more attacks. There’s a strange pharmaceutical spam attack out there, and it got me too. I first found out about it when Google emailed my with a possible hacking notice. Links like /valium-high were appearing in the Google results for this site, yet when I tried the links they were giving me a 404 (page does not exist) result. The sneaky thing is that the hack is cloaked, the link /valium-high did in fact work but only if accessed via a search engine spider (or search bot / Googlebot). So Google sees a strange page selling valium, whereas regular visitors see a boring “page not found”. Spammers use these techniques to help their own strange pages rank in Google.

Using “Fetch as Googlebot” in Google webmaster tools allowed me to confirm the cloaking issue. To clean the hack, and simulate a search crawler without resorting to publishing tests live to my domain, I used my own server and tested using a search engine crawler simulator on a custom subdomain.

After a lot of searching, including various scripts like lookforbadguys and advice on checking the database I still couldn’t find the bad code. I gave up forensics and just reinstalled a clean version of WordPress (often the best recourse if you can’t find the hack quickly). It then took me a while to get a few other files I needed (my theme, images, custom scripts) from the old install and make sure they were working correctly.

Since I was making updates, I finally brought this WordPress site up to date with a few changes to CSS to take full advantage of screen real estate. This humble template was less than 800 pixels wide. I am now using a 960 pixel grid which is a de facto standard on the web given larger screen resolutions. I hope you find it a little easier to read.

8 Responses to “WordPress Pharma Hack and Updates”

  1. Ronan Says:

    La largeur de 960px risque de ne plus être un standard pour très longtemps, notamment avec le développement des tablettes & smartphones…

    Media queries & fluid design, that’s the way to go imo :-)

  2. fruey Says:

    Hello Ronan

    I had a mobile theme for the site which I’ve switched off right now. Responsive design is the way forward – certainly for blogs – but that’s another task for another day. Just observe how long it took me to get to 960px :).


  3. Jean-Pierre Welch Says:

    Thanks Simon. The lookforbadguys script helped me a lot for a site I’m supporting. There were a lot of false positives, but luckily, I was able to pickup where the bug was hiding.

  4. fruey Says:

    Hello Jean-Pierre

    I wrote the article to summarise some of the stuff I did while investigating the hack, great if it has helped someone else!


  5. S-Power :: The Finest Selection Selecting Phillips Senseo Coffee Machine - 문의게시판 Says:

    I’d like to find out more? I’d want to find out more details. http://s-power.com/board_stsf27/168289

  6. tsaida.com Says:

    Hello everyone, it’s my first go to see at this web page, and piece of writing is
    truly fruitful in support of me, keep up posting these articles or reviews. http://tsaida.com/userinfo.php?uid=212772

  7. vip126.cafe24.com Says:

    This is the perfect website for everyone who would
    like to find out about this topic. You understand a whole lot its almost tough to argue with you (not that
    I personally would want to…HaHa). You certainly put a fresh spin on a topic that has been written about for decades.
    Wonderful stuff, just excellent! http://vip126.cafe24.com/board_pDmO72/44878

  8. Apollosoyuz.NET - View Profile: IsraelK621 Says:

    Thanks for the good writeup. It actually was a amusement account it.

    Look advanced to more added agreeable from you!

    However, how could we keep in touch? https://apollosoyuz.net/member.php?u=411551

Leave a Reply