Last week, while trying to fix a plugin that had stopped working after the last WordPress upgrade, I noticed an odd bit of code. Upon further investigation with the use of Google’s text-only feature on their cached page search, I found that my blog had been hacked and turned into a spam blog.
Didn’t notice did you? Neither did I. I think it happened back in April. Basically, the hackers get in and hide hundreds of links in your header or footer that are then rendered invisible by some kind of CSS trick, all accomplished through the use of an invisible plugin.
Then your blog looks and works like it always did, but the Googlebots see hundreds of links to sites selling porn, gambling, and various pharmaceutical delights.
This appears to have happened back in April at exactly the time I quit blogging regularly so I never noticed. It seems hundreds of WordPress blogs were affected and so there is plenty of info out there about fixing this hack, both on the WordPress support forums and elsewhere.
Here’s what I discovered:
- a hidden user account on my blog that couldn’t be deleted through the admin interface
- a plugin that didn’t show up on my plugin screen
- several files in my directory and various subdirectories that were not placed there by me or WordPress
After reading up on this, I deleted everything from my directories that was not put there by me. I also deleted all the old subdirectories left over from my site’s first pre-blogging incarnation (while rediscovering the cool sky you now see in the background) and a very old test blog I created and never upgraded.
Then, I had to go into the mysql database, which forced me to learn a lot more about both mysql and phpmyadmin than I had ever known previously. Messing with the database is risky. As the warning says on the WordPress site, “with great power comes great responsibility.”
I figured it out, though. I was able to go into the database and delete the phantom user, turn off the phantom plugin and delete a mysterious table that shouldn’t have been there.
Had it not been for the following sites, I would not have had the foggiest idea how to do these things so big shout-outs to: BlogBuildingU.com, WordPress Philippines, Marketing.com, Ms. Adventures in Italy, and especially to Get Rich Slowly for their detailed instructions on dealing with the database cleanup. (How odd that 2 of these sites are from The Philippines and Italy, both countries in which I’ve lived).
The WordPress support forums were also helpful as always.
Once the database was cleaned up and the directories cleaned, I reinstalled the latest WordPress and changed every password associated with my web host and this blog. Probably a good thing to do from time to time anyway.
Now that the site is cleaned out and the hidden links are gone, I have to get back into Mr. Google’s good graces. The Googlebots have apparently determined that my site is a spam links blog and so my site no longer shows up in Google searches. I had noticed that my traffic dropped tremendously back in April, but I had assumed it was because I had slowed down on posting. Fortunately, Google has a tool in Google Webmasters to have a site reevaluated, so hopefully, my traffic will come back.
This wasn’t an awful experience. I was lucky and I managed to learn alot.
I am no longer afraid of phpMyAdmin and the mysql database (even if I don’t totally get them yet).
I was reminded of the importance of regular upgrades.
I was reminded of the importance of keeping my directories neat and clean.
I learned to periodically check over the code in my theme files and look at cached pages for anything that might be awry.
I wrote a few months ago that one of the things I like about running a self-hosted WordPress is that I’m running more than just a blog, I’m running a website. That still holds true even if I have to spend a week dealing with the mess created by some worthless waste of skin who decided to use my blog as a tool in their nefarious link scheme.
For those who may be wondering about the missing comments issue this week, that was a totally unrelated thing. Two days after cleaning up the hack mess, my host had a problem with their mysql server that temporarily ate the comments and caused a few other problems, which they have happily fixed. Thanks to Kevin Dewalt and whooami for their help in figuring out that issue.
And, now, everything seems right with the cyberworld and hopefully, Mr. Google will come back too.