Help keep the Czech escorts off my site!
December 3, 2010 8:02 AM Subscribe
Spam links keep appearing in my wordpress-powered website's footer!
I run a nonprofit, so it's really not cool to keep finding links to sites like "Czech escorts," etc. in our footer. Our site is a completely custom-designed template, so it's not links added from a malicious template designer or anything. I have WP Super Cache installed, and usually a quick turning-off and turning-back-on of the cache will fix the problem, but I'd rather the problem not ever show up to begin with (and even once it's been fixed, it often reappears in an hour or two).
I've set the ourdomain.com directory on our server to read-only, but it still happens. And oddly enough, when the links reappeared today, I went to my Wordpress install and it said "WP Super Cache was deactivated because the plugin could not be found" (!!!)
How is any of this possible? Our wordpress install is a standard Dreamhost one-click install, the directory is set to read-only, I keep up to date on both my Wordpress updates as well as all plugin updates. And the template files don't appear to have been tampered with.
The sites I've found on google suggest things like, "make sure WP Super Cache is the latest version," which of course I do, but it still happens.
I run a nonprofit, so it's really not cool to keep finding links to sites like "Czech escorts," etc. in our footer. Our site is a completely custom-designed template, so it's not links added from a malicious template designer or anything. I have WP Super Cache installed, and usually a quick turning-off and turning-back-on of the cache will fix the problem, but I'd rather the problem not ever show up to begin with (and even once it's been fixed, it often reappears in an hour or two).
I've set the ourdomain.com directory on our server to read-only, but it still happens. And oddly enough, when the links reappeared today, I went to my Wordpress install and it said "WP Super Cache was deactivated because the plugin could not be found" (!!!)
How is any of this possible? Our wordpress install is a standard Dreamhost one-click install, the directory is set to read-only, I keep up to date on both my Wordpress updates as well as all plugin updates. And the template files don't appear to have been tampered with.
The sites I've found on google suggest things like, "make sure WP Super Cache is the latest version," which of course I do, but it still happens.
And it would help if I read the only sentence I didn't read.
Are you sure it's the latest installation? Are you using wordpress's update function or dreamhost's?
posted by royalsong at 8:07 AM on December 3, 2010
Are you sure it's the latest installation? Are you using wordpress's update function or dreamhost's?
posted by royalsong at 8:07 AM on December 3, 2010
Oh, another thought and then I will flee from your question.
Is it possible a hacker got ahold of your password? Is it fairly secure?
posted by royalsong at 8:09 AM on December 3, 2010
Is it possible a hacker got ahold of your password? Is it fairly secure?
posted by royalsong at 8:09 AM on December 3, 2010
Response by poster: I'm using wordpress's update function (and yeah, it's the latest, as are all plugins—the only ones which are activated are WP Super Cache, sociable, and akismet)
posted by ferdinandcc at 8:09 AM on December 3, 2010
posted by ferdinandcc at 8:09 AM on December 3, 2010
Response by poster: My password is ~15 characters long and isn't a dictionary word.
posted by ferdinandcc at 8:10 AM on December 3, 2010
posted by ferdinandcc at 8:10 AM on December 3, 2010
Lock down your wp-admin directory using .htaccess, and a couple of other tips from Matt Cutts.
What other plugins are you using? Just because they're up-to-date, that doesn't necessarily mean they're secure.
posted by Gator at 8:12 AM on December 3, 2010
What other plugins are you using? Just because they're up-to-date, that doesn't necessarily mean they're secure.
posted by Gator at 8:12 AM on December 3, 2010
Response by poster: Thanks for the advice re: .htaccess
The plugins I'm using are WP Super Cache, Sociable, and Akismet. Sociable adds the facebook, delicious, etc. links into the individual posts, and akismet filters comment spam, as I'm sure you're all well aware :)
posted by ferdinandcc at 8:14 AM on December 3, 2010
The plugins I'm using are WP Super Cache, Sociable, and Akismet. Sociable adds the facebook, delicious, etc. links into the individual posts, and akismet filters comment spam, as I'm sure you're all well aware :)
posted by ferdinandcc at 8:14 AM on December 3, 2010
Response by poster: I'm not sure the .htaccess tip will work (the linked article talks about blocking all IP addresses except the ones you use, but mine is constantly changing; I'm posting from remote locations all over the place)
posted by ferdinandcc at 8:16 AM on December 3, 2010
posted by ferdinandcc at 8:16 AM on December 3, 2010
Best answer: My guess is that it's not the WP install that's been compromised, but something else. Probably an FTP password or something like that.
(They're running around inserting links into the static html files generated by WP Super Cache, not editing the WP data directly, which is why regenerating the cache solves the problem temporarily.)
posted by pharm at 8:25 AM on December 3, 2010
(They're running around inserting links into the static html files generated by WP Super Cache, not editing the WP data directly, which is why regenerating the cache solves the problem temporarily.)
posted by pharm at 8:25 AM on December 3, 2010
Response by poster: I just changed my FTP password, so I'm crossing my fingers. Thanks for the analysis, it makes sense.
posted by ferdinandcc at 8:26 AM on December 3, 2010
posted by ferdinandcc at 8:26 AM on December 3, 2010
Best answer: Note that if ftp access gives them access to your WP plugins, then they could have compromised those as well. You should probably re-install the WP setup from scratch if possible & restore data from backups if the datastore could also have been compromised.
Obviously any passwords stored on the host should be regarded as tainted & changed immediately.
posted by pharm at 8:29 AM on December 3, 2010 [1 favorite]
Obviously any passwords stored on the host should be regarded as tainted & changed immediately.
posted by pharm at 8:29 AM on December 3, 2010 [1 favorite]
(It's also possible that one of the people with access to the site has had a trojan installed on their PC by some means.)
posted by pharm at 8:32 AM on December 3, 2010
posted by pharm at 8:32 AM on December 3, 2010
Response by poster: I'm the only person who accesses our wordpress page (and I use a Mac).
posted by ferdinandcc at 8:35 AM on December 3, 2010
posted by ferdinandcc at 8:35 AM on December 3, 2010
Macs are sadly not immune, although they're less likely to be a victim of random spam hacks. One recent trojan was even cross-platform! †
Hopefully changing the ftp password will sort it!
†http://www.tgdaily.com/security-features/52230-nefarious-mac-os-x-trojan-spotted-in-the-wild
posted by pharm at 9:13 AM on December 3, 2010
Hopefully changing the ftp password will sort it!
†http://www.tgdaily.com/security-features/52230-nefarious-mac-os-x-trojan-spotted-in-the-wild
posted by pharm at 9:13 AM on December 3, 2010
Don't save your FTP password on your computer. Sorry to be the bearer of bad news, but in order to protect your website, you will need to type it into your FTP program every time.
One of my sites got hit with something like this. Turns out there is malware out there which harvests stored FTP passwords. So changing your password is only a short-term fix.
posted by ErikaB at 11:23 AM on December 3, 2010
One of my sites got hit with something like this. Turns out there is malware out there which harvests stored FTP passwords. So changing your password is only a short-term fix.
posted by ErikaB at 11:23 AM on December 3, 2010
This thread is closed to new comments.
posted by ferdinandcc at 8:03 AM on December 3, 2010