WordPress footer follies

I was all prepared to post a backlog of interesting stuff today when it came to my attention, thanks to alerts from Reinhard Handwerker and Vikram Thakur of Symantec, that some strange spammy stuff was happening on this site. I ended up spending the day rooting out bot droppings from my WordPress installation.

Yes, it’s true, I’d been lax about upgrading to the latest version. I was only a little behind, but perhaps that was enough. In any case, here are some details, which might be useful to others who find themselves victim to what I think of as the “wordpress footer exploit.” (I’ve already gotten email from a couple of other users who are battling the same problem. Al Gore, apparently, went through something similar.)

Skip the rest of this unless you’re a WordPress user in trouble looking for help!

Here were the gory details in my case. No doubt others will differ. I don’t have a clear sense of the starting point for the exploit — no doubt some little chink in the WordPress armor that I can only hope is no longer open in the current version.

My HTML source revealed a long list of spammy links in the WordPress footer — hidden from view but presumably accessible to the Googlebot. The first step in defeating them was to remove the php call to the wp_footer function from the footer template. (If you need that function for other plugins or users, you can add it back in once your code is cleaned up.)

That alone isn’t enough, alas. I also found 2-3 lines of code inserted into the main index.php file at the top level of the blog. The code that kept reinserting the spammy links into the footer even after they’d been deleted was located in a few lines added to the default-filters file in the wp-includes directory. Then I found two more completely new files had been added to wp-includes: one called “class-mail” and the other, deceptively simply named “apache.php,” which was a motherlode of mischief. (Thank you, though, oh hackers, for labeling your crud with ASCII art of a spider — it’s really helpful when one is scanning dozens of files to know that when you stumble on the malicious code, it comes with its very own Dark Mark.) “Classes.php” looked like it had been touched, too, based on the mod date; I replaced it with a clean version.

I killed all this crud and succeeded in removing the spammy links, but I still had a problem: there were a bunch of files that seemed to be being served from my domain that were just pages advertising, you know, those drugs that spammers like to advertise. They weren’t my content, of course, but they’d somehow made their way into my WordPress — and they were being linked to from other compromised WordPress sites. The ways of the botnets are devious indeed! I couldn’t figure out exactly where this infection’s root lay, but — having removed all the malicious code I could find and then changed all my passwords — I overwrote my WordPress installation with a clean download of the WordPress code, and that appeared to do the trick.

If you suspect your site is compromised, I recommend proceeding in the following order: First, root out the bad code; then change your passwords. If you change your passwords while your site is still compromised, you risk having your new passwords exposed via exactly the same route your old ones were, if in fact they were (I don’t know if mine were or not, but hey, when you start finding bad code in your directories, it’s time to change your passwords).

May you never need this information! But if you do need it, may this be of some use to you.
[tags]wordpress, spam, bots, exploits[/tags]

Post Revisions:

There are no revisions for this post.

Get Scott’s weekly Wordyard email


  1. Hi, Scott

    Bummer about your hack! I got hacked too recently, in a somewhat different way.


    I’ve since upgraded and instituted secure login. (I’m pretty sure my password got sniffed on open wifi.) But I’ll scan my blog for the kind of hack you suffered, as well.

    Thanks for the info

    – Amy Gahran

  2. Hey, Amy, sorry to hear you’ve been wrestling with this stuff too. I think I opened myself up to this by not keeping my WP up to date. Shoulda known better, etc.

    Morgan, I’ve been religious about Akismet since day one with WordPress, but didn’t know about Bad Behavior. I’ll look into it — thanks for the tip.

  3. Some of those ‘free’ templates require you leave the link to their site and by removing it you open yourself up to copyright infringement. That being the case, you should still be able to remove malicious code but just check what the license says.

  4. How To Build Backlinks To Your Blog

    While no one knows exactly what the formula for search engine rankings is, we do know that it has a lot to do with how many “votes” you have out there on the web. These votes are counted as backlinks. If you think about it, what do you when you find something you really like and want to share with others? You link to it! That’s why the search engines count these so highly. While you should definitely aim to get to the point where others will link to you, it’s possible to take things into your own hands for now.

    Below are some of the top strategies you can use for building backlinks to increase the value of your blog in the eyes of the search engine.

    Write Articles and Submit Them

    Writing and submitting articles is a great way to build backlinks! There are sites out there like EzineArticles.com and GoArticles.com that allow you to post your content with a link back to your site. That means you get to have your link on authority sites! The more articles you write, the more you can submit them. The beauty of this is that you can often submit the same articles to different sites, or rewrite them quickly to have something that is more unique.

    Comment on Other People’s Blogs

    It’s a great thing to remember that a huge part of blogging is getting involved in the community. Commenting on other people’s blogs will not only get you some recognition from their readers right away, it also counts as a backlink! Keep in might that some of these links are termed as “nofollow”, which means the search engines may not pass along ranking or “juice.” That’s okay, because the algorithms are always changing, and since these links are so highly targeted they are a great thing.

    Write Guest Posts

    Writing guest posts for other niche blogs is an amazing strategy. People love to let you do this because it gives them a day off from blogging. Readers love it because they get a fresh perspective on a topic they are interested in. You’ll love it because it means you get a link back to your site and all you had to do was write an extra post for the day.

    Use Social Bookmarking Sites

    Another thing you can do is bookmark your sites. Now, there are some rumblings out there that these won’t count as highly in the future as they do now. Still, bookmarking your sites lets the search engines know “you are there” for fast indexing. If you take the time to make sure the sites you bookmark with are high quality, you’ll get the benefit of those links as well.

    Paying for Links

    There are many different ways you can pay for links. It is important to know that Google and other search engines frown on this because it’s like you’re gaming their algorithm. Whether you choose to do this or not is up to you, but it can be an effective strategy if you don’t go overboard and aren’t obvious. You can contact people directly or even work through link exchange networks.

    Learning how to build backlinks to your blog is extremely important if you want to rank well. Add a few links at a time and they will build up in a massive way over the long run.

  5. Very interesting read, I think their would be a lot of mixed opinions on this. Love the theme that you are using, what is it?

  6. Kenson Goo

    Hi all,

    After getting sicked of so called free WordPress themes with bunch of encrypted spammy links, I decided to spend a couple of days to set up cleanWPtheme.com. I decrypted all footer links of WordPress themes and share them at the site. Hopefully, you will like it too. Thanks.

  7. Well, I guess it can happen to me. Here it is in 2011 right before Black Friday and my blog is under attack. It has been hijacked. Whoever it is is doing their own advertising on it at my expense. Unfortunately, I haven’t a clue how even to find the footer.

    I have the latest upgrade of WordPress, maybee 2 months old. I do have an old version of the theme. Dosh Dosh, Prosense. Could the age of the theme be the weakness?

    Before finding this blog, I was at the point of just turning things off for a couple of weeks until it all cooled off. I guess that wouldnt help.

    Does anyone have an updated version fix for this problem? After all this has apparently been going on for a while.

    Thanks Bunches Folks.



Post a comment