I’m sorry if this has been covered — I searched but was unable to find help — I’ve noticed that some spam-tastic links have been appearing in the header.php of my theme.
The links don’t appear when the site is rendered, however they are in the page’s source. So the ‘hacker’ is clearly attempting to stealthily increase their page rankings (the presence of these links also influenced the content of my google ads).
As soon as I found the links I removed the code from the header.php. Made sure that all the plugins that i’m using are up-to-date and, of course, double checked that I was running the latest WP and that all my files had the correct permissions.
However, less than 24 hours later the links were back in the header.php – so double checked everything again, and even changed my passwords for my ftp AND WP admin login…. but, guess what! They appeared there again and I have no idea how the file is being accessed and edited.
I googled a few of the nefarious links was surprised to see how many sites have also been hacked (try for yourself, google: “information phentermine viagra xanax” or “cialis compare levitra viagra” and check out how many of the results are for innocent sites whose source has been modified).
Anyway, I guess I’m asking for help here – is this a known exploit? If so how do I prevent it from happening again?
Yeah, I am running 2.3.2 – as I said in my first post – and yeah, I have removed it from the header, as was suggested on one of the many sites I found while attempting to diagnose the problem I outlined above.
I’m not sure what significance your comment holds. Seriously, is there something wrong with not showing the version number?
Seriously, is there something wrong with not showing the version number?
No. It doesn’t actually help or anything, but there’s nothing wrong with it.
He may have hacked your core files or left a backdoor in there or got in through a plugin or something. Replace all the WordPress files with fresh ones. Deactivate your plugins and see if they may have known compromises for them before reactivating them. Look through your server logs to see how he’s getting in.
whooami, I’m not using any of the plugins that are listed in the linked post – I wasn’t having a go at you about the version number, I was genuinely asking if removing it was an issue.
Otto42, I’ll replace the files as you suggest and see if that prevents it from happening again.
I’m still curious to know if this is has happened to others here. As I said, I found several exploited sites just by doing a quick google search, but it doesn’t seem like there is a known ‘hole’ or even that other people aware that it’s happening.
AH HA! On following up with Otto42’s suggestion I was just running though the files list and comparing it to the default file list from a new install of WP – sure enough there was a wp- prefixed file there that wasn’t suppose to be.
It appears that somehow someone had managed to install a r57shell file on the server (which I’ve now removed).
Being that this sort of thing is completely beyond my understanding, how should I go about preventing this from happening again?