I just spent a while tracking down and removing some malicious code that was inserted into a WordPress site I manage. The site was hacked several weeks ago (through FTP I think). I couldn't find any information about this through Google so I'm documenting the problem and solution here.
After the site was first hacked and then (seemingly) restored, we started seeing a lot of online gambling junk in the search engine results for the site. I looked at the source code for the site and didn't see anything like that. But when the search engine results for the site continued to show spammy online gambling stuff, I looked into it more by checking out how the WordPress site was being served to search engines. (I did this by changing my browser's user-agent to "GoogleBot" -- google "how to change user agent in firefox" for directions.)
It turned out that the malicious code was injecting spam content into the version of the site that was being served to search engine robots like GoogleBot, but showing the normal, spam-free site to end users with normal browsers like Firefox. Yikes.
Finding the source of the issue took a while, but eventually I found a bunch of code appended onto
wp-config-sample.php that started with
error_reporting(E_ALL); and then tested the
HTTP_USER_AGENT to find out whether the client was a search engine spider. If WordPress was serving content to a search engine, it would serve a bunch of spam content (online casino junk) from a remote server and mix it into the post content.
I was able to fix the problem by deleting all the malicious code from my
wp-config-sample.php file. (I think this file can be empty, so you could probably just delete all the code in there.)
Looking at the weird stuff that was inserted into the website by this malicious code, I can see links to several other WordPress sites were hacked in the same way. If you are seeing weird search engine results for your WordPress site, you may be having the same problem.
By the way, this site is running WordPress 2.9.2, although when the site was first hacked we were using an older installation of WordPress and ran the automatic update since then. I have also updated the admin, FTP, and database password just in case!