Is my website virussed?
February 3, 2010 9:04 AM   Subscribe

I have a personal Wordpress website/blog ('') but the other day got an email from someone I know telling me that my site appeared to have a virus on it (a redirection to one of those appalling 'buy our virus killer' sites). I checked myself and couldn't see an issue but today, using a different PC if I typed the URL diredtly I could go there straight away but if I Google-searched 'timpollard' and then clicked in the ' link it displayed the message 'This site has been reported unsafe' as it was trying to access an entirely different site: 'antivirus-wizard-a1.c*m'. Help, what's happening - and how can I fix it, please?
posted by timpollard to Computers & Internet (17 answers total) 4 users marked this as a favorite
Nottingham's Robin Hood?

Not a virus, but yes, your website has been hacked and the home page is redirecting to a scammy fake virus scanner... if the referrer is Google.

Funnily enough, is fine.
posted by rokusan at 9:08 AM on February 3, 2010

This might be helpful:

Did your wordpress site get hacked

Might be worth talking to your host to see if they can help you out too.
posted by backwards guitar at 9:09 AM on February 3, 2010 [1 favorite]

(And yes, safe-surfing tools will flag that as an unsafe site. Not yours, note.)
posted by rokusan at 9:09 AM on February 3, 2010

Yeah, the likely situation is that your site has been hacked with a kit that has the good sense to modify what it displays depending on whether the visitor is logged in to the site; that way, you as admin don't necessarily see that anything is amiss. It's a clever and frustrating bit of scripty evil, I've run into it myself.
posted by cortex at 9:11 AM on February 3, 2010

I hate to admit it, but this has happened to me repeatedly. Typically there's an invisible iframe added to your page, usually appended at the very end of the page (added to the wordpress template, in most cases), but sometimes elsewhere. In one case the addition had a huge number of spaces put in front of it, so that it would not be visible when viewing source unless I scrolled way to the right.

If you haven't already done a view-source on your page, do that. Then go in and review your page templates, and fix them.
posted by adamrice at 9:16 AM on February 3, 2010

This exact thing has happened to me as well. I've looked at your source code and can't find anything immediately obvious, but one time they actually included the dodgy code inside an included .js file. I'm just looking through yours to see if i can find anything...
posted by ukdanae at 9:21 AM on February 3, 2010

This is already mentioned on backwards guitar's linked page, but I'll second it: check your .htaccess file. In encountering something similar on friends' hacked sites a couple of times, they've gone after the .htaccess file and put a redirect in it. Simple fix.
posted by zylocomotion at 9:31 AM on February 3, 2010 [1 favorite]

I can't find anything in the JS files. Do you have a plugin that automatically detects if the referrer is google, and highlights key terms? If so, it could be that this was hacked - it might be worth going through and systematically disabling each plugin you have to see if you can isolate one as the problem.

After this happened to me twice, I now have the fear of god about upgrading plugins and Wordpress itself, and i am now super-cautious about installing new plugins, or keeping un-used ones activated and lying around. If you happen to have an older version of Wordpress installed, I would upgrade that as your first step.
posted by ukdanae at 9:32 AM on February 3, 2010

Just to throw another idea in here, there are a few trojans that actually FTP the code into your files by stealing FTP information saved on your computer. If this is the case, it has nothing at all to do with Wordpress, and to fix it you will have to go through all the files on your site and remove the offending lines of code. I've seen one that inserts the malicious scripts into any file called index, default, and all javascript files. A nifty text editor like Notepad++ should let you easily clean all your files with a multi-file find and replace, then just FTP them back.

I'd change my WP admin password AND my FTP password if I were you.
posted by beyond_pink at 9:43 AM on February 3, 2010

Any suggestions on how to get Google/Firefox to remove the Scarlett Letter once you get the issue resolved? How long does it take? Is there a form?
posted by Elminster24 at 10:51 AM on February 3, 2010

Elminster - when this happened to me, we fixed the problem and Google lifted the scarlett letter after their next crawl of the site, which i think took about 3 days. There's also a "Malware details" section under Google Webmaster Tools which might be worth looking at - it's under Labs.
posted by ukdanae at 10:58 AM on February 3, 2010


Emphasizing that it's very important to change your FTP username and password to something totally unfriendly to hackers. For password encryption, I recommend using one of the free password generation tools online.

If your web host supports SFTP or even FTP with TSL/SSL, be sure to switch to that if you haven't already. Plain vanilla FTP is NOT secure. [more on that]

Your next step should be to try to clean up your files, or if you have a clean version of your site and templates archived, you can reupload the whole shebang.

Once you're reasonably sure your files are clean again, you can submit your site for review using Google Webmaster tools, as ukdanae recommends (you might need to take the extra step of verifying your site if you haven't done that); if Malware still exists you should get an alert on your Webmaster tools dashboard, and if it doesn't, the red warning screen will be removed. When this happened to me, it took about 24 hours to get my site up and running again, but maybe I was lucky!

Good luck!
posted by missmobtown at 11:19 AM on February 3, 2010

Response by poster: Wow - thank you all so much, I greatly appreciate the time and trouble you've gone to both in answering so quickly and helpfully, but also in going through the code to see where the badness might be, I'm truly grateful, thank you...

I'm going through things now, hopefully I'll be able to sort it.

And thank you all again, truly!
posted by timpollard at 11:20 AM on February 3, 2010

zylocomotion: ... check your .htaccess file.

I checked with wget, & this is, in fact, the problem. No Javascript or other files were necessary to see this. I searched for the first redirect of several (to a temp directory at absalom press dot com), & found a pastebin of the likely htaccess source. I reported the abuse to pastebin, & emailed the address on the front page of Absalom Press.

If you have backups, restore .htaccess, otherwise, delete it & reinstall / upgrade Wordpress to recreate it.
posted by Pronoiac at 11:14 PM on February 3, 2010 [1 favorite]

If you're playing along at home,
  wget -S
will show what I'm writing about.
posted by Pronoiac at 11:33 PM on February 3, 2010

I also emailed the next step along in the series of redirections, & they've since removed the part on their server.
posted by Pronoiac at 7:28 AM on February 4, 2010

Response by poster: Just astounding, thank you so much - I was flooundering for a while because I couldn't see .htaccess but forcing 'See hidden' under the rather esoteric tab system Filezilla has now lets me see exactly what you were talking about - thank you so much again.

I've got to say, AskMeFi is just awesome, and you have my deepest gratitude, thank you.
posted by timpollard at 8:07 AM on February 4, 2010

« Older Best route to a nicer future   |   Multilingual MetaFilter(s)? Newer »
This thread is closed to new comments.