Join 3,572 readers in helping fund MetaFilter (Hide)


Help keep the Czech escorts off my site!
December 3, 2010 8:02 AM   Subscribe

Spam links keep appearing in my wordpress-powered website's footer!

I run a nonprofit, so it's really not cool to keep finding links to sites like "Czech escorts," etc. in our footer. Our site is a completely custom-designed template, so it's not links added from a malicious template designer or anything. I have WP Super Cache installed, and usually a quick turning-off and turning-back-on of the cache will fix the problem, but I'd rather the problem not ever show up to begin with (and even once it's been fixed, it often reappears in an hour or two).

I've set the ourdomain.com directory on our server to read-only, but it still happens. And oddly enough, when the links reappeared today, I went to my Wordpress install and it said "WP Super Cache was deactivated because the plugin could not be found" (!!!)

How is any of this possible? Our wordpress install is a standard Dreamhost one-click install, the directory is set to read-only, I keep up to date on both my Wordpress updates as well as all plugin updates. And the template files don't appear to have been tampered with.

The sites I've found on google suggest things like, "make sure WP Super Cache is the latest version," which of course I do, but it still happens.
posted by ferdinandcc to Computers & Internet (17 answers total) 1 user marked this as a favorite
 
You can view the site in question by clicking my name. I didn't want to promote the site in my question itself because I thought that's frowned upon. I've already un-cached and re-cached the site so hopefully the spam won't appear, but it'll probably rear it's ugly head again later today or tomorrow.
posted by ferdinandcc at 8:03 AM on December 3, 2010


Is wordpress running on the latest installation?
posted by royalsong at 8:05 AM on December 3, 2010


And it would help if I read the only sentence I didn't read.

Are you sure it's the latest installation? Are you using wordpress's update function or dreamhost's?
posted by royalsong at 8:07 AM on December 3, 2010


Oh, another thought and then I will flee from your question.

Is it possible a hacker got ahold of your password? Is it fairly secure?
posted by royalsong at 8:09 AM on December 3, 2010


I'm using wordpress's update function (and yeah, it's the latest, as are all plugins—the only ones which are activated are WP Super Cache, sociable, and akismet)
posted by ferdinandcc at 8:09 AM on December 3, 2010


This guide will help: http://codex.wordpress.org/FAQ_My_site_was_hacked
posted by episodic at 8:09 AM on December 3, 2010


My password is ~15 characters long and isn't a dictionary word.
posted by ferdinandcc at 8:10 AM on December 3, 2010


Lock down your wp-admin directory using .htaccess, and a couple of other tips from Matt Cutts.

What other plugins are you using? Just because they're up-to-date, that doesn't necessarily mean they're secure.
posted by Gator at 8:12 AM on December 3, 2010


Thanks for the advice re: .htaccess

The plugins I'm using are WP Super Cache, Sociable, and Akismet. Sociable adds the facebook, delicious, etc. links into the individual posts, and akismet filters comment spam, as I'm sure you're all well aware :)
posted by ferdinandcc at 8:14 AM on December 3, 2010


I'm not sure the .htaccess tip will work (the linked article talks about blocking all IP addresses except the ones you use, but mine is constantly changing; I'm posting from remote locations all over the place)
posted by ferdinandcc at 8:16 AM on December 3, 2010


My guess is that it's not the WP install that's been compromised, but something else. Probably an FTP password or something like that.

(They're running around inserting links into the static html files generated by WP Super Cache, not editing the WP data directly, which is why regenerating the cache solves the problem temporarily.)
posted by pharm at 8:25 AM on December 3, 2010


I just changed my FTP password, so I'm crossing my fingers. Thanks for the analysis, it makes sense.
posted by ferdinandcc at 8:26 AM on December 3, 2010


Note that if ftp access gives them access to your WP plugins, then they could have compromised those as well. You should probably re-install the WP setup from scratch if possible & restore data from backups if the datastore could also have been compromised.

Obviously any passwords stored on the host should be regarded as tainted & changed immediately.
posted by pharm at 8:29 AM on December 3, 2010 [1 favorite]


(It's also possible that one of the people with access to the site has had a trojan installed on their PC by some means.)
posted by pharm at 8:32 AM on December 3, 2010


I'm the only person who accesses our wordpress page (and I use a Mac).
posted by ferdinandcc at 8:35 AM on December 3, 2010


Macs are sadly not immune, although they're less likely to be a victim of random spam hacks. One recent trojan was even cross-platform! †

Hopefully changing the ftp password will sort it!

http://www.tgdaily.com/security-features/52230-nefarious-mac-os-x-trojan-spotted-in-the-wild
posted by pharm at 9:13 AM on December 3, 2010


Don't save your FTP password on your computer. Sorry to be the bearer of bad news, but in order to protect your website, you will need to type it into your FTP program every time.

One of my sites got hit with something like this. Turns out there is malware out there which harvests stored FTP passwords. So changing your password is only a short-term fix.
posted by ErikaB at 11:23 AM on December 3, 2010


« Older What can I send to a female co...   |  Can you recommend a light fixt... Newer »
This thread is closed to new comments.