What if my WordPress Blog Got Hacked with the Google Redirect?

By Daniel Scocco

questions and answersThis post is part of the weekly Q&A section. Just use the contact form if you want to submit a question.

Redwall_hp asks:

BookAdvice.net is a legitimate website, and works fine if you access it directly. However, if you search “bookadvice” on Google or Yahoo, and click the result, you are taken to a bogus site that tries to install a smitfraud-type faux antivirus malware package. The SERP looks perfectly normal, as it should be, but when it’s clicked it doesn’t take you to BookAdvice.net, but to the malware site.

What you described in your questions is the (unfortunately) popular hack that places a redirect on a website to divert all or part of its search engine traffic to another website.

This hack is not limited to WordPress blogs, although some months ago a WordPress vulnerability made this a big problem on the platform.

Here is how it works: the hacker gains access to the WordPress control panel or to some specific files (e.g., plugins) in your server. After that he will insert some PHP code in one of the files, create a plugin, or create a fake .jpg image that will function like a plugin.

Once the code or the plugin is in place, whenever someone tries to access your website via a Google search result, he will be directed to another site specified by the hacker (usually a malicious site that will try to install something on the computer of the users).

If you want to test for this hack, you simply need to search the name of your site in Google and click on the right result. Then just check if your will end up on your site or on another site. It is a good idea to test this for a couple of posts too, and not just with the homepage.

If you find out that you got the hack, here are some steps that you can do to try to fix it:

1. Upgrade Your WordPress Intall

The first step is obviously to upgrade WordPress. Older versions have many security holes that make it easier for people to gain access to specific files inside your site or server.

2. Change your passwords

The second step is to change all your passwords. This include the WordPress admin password, the hosting account password and the FTP password. If you don’t do it already, remember to change the password regularly too.

3. Browse your site files via FTP

Log into the FTP account of your site and browse around on all the folders. You will be looking for any file that has a strange name or that looks suspicious. If you have a WordPress blog installed on another site, compare the structure of all the files to make sure they match.

4. Browse your theme files

Log into your WordPress control panel, go to the theme editor, and browse inside all your theme files. Look for lines of code that are not supposed to be there, or that contain a PHP code that you don’t recognize.

5. Check your database tables

Some hackers will also upload fake images to your “Uploads” folder and activate them with a plugin call. To detect this you need to open PHPMyAdmin, browse the “wp-options” table, and edit the “active_plugins” record. On that record you will see a list of all the plugins that are supposed to be active in your blog. If there is a strange one there named hdjsjekf.jpg, for instance, delete that.

6. Backup!

Backups are your best line of defense. No matter how secure you make your blog install, if someone is determined to break in, he will be able to. If you have backups, however, all you need to do is to put a fresh software installation in your server and restore the backup.

Finally, check also the post titled 3 Must Apply Security Tips for WordPress that I wrote a while ago with some tips that you can use to secure some parts of your WordPress site.

Monetize Your Site




Share

30 Responses to “What if my WordPress Blog Got Hacked with the Google Redirect?”

  • redwall_hp

    I forgot all about that. The helpful people at Google ran some tests for me, and I was able to track down the source of the problem. The site integrates with an SMF forum via the SSI.php file, and someone snuck some code into the forum somehow, and then the redirect was included into the main part of the site…

    Great post, I’m sure it will help plenty of people. This sort of exploit is becoming increasingly common.

  • susan

    Very timely post – this just happened to me the other day. The hacker got in via my WordPress ‘admin’ user (which I subsequently deleted) and added a PHP file to the Media Library. I found it and removed it.

    I’ll definitely implement your suggestions to guard against this happening again. Thanks for the info.

  • The Fashion Wizz

    I had a similar problem. At the time I didn’t know what was the problem so I had to delete my blog and reinstall it….

  • SATISH — Technotip.org

    Well had seen this kind of problem before, but never knew the cause and solution. Thanks to redwall_hp and Daniel..

  • SEO Tips

    Excellent guide Daniel and a good question to ask, thanks for the information.

  • Mr. I

    Excellent guide Daniel. Now, let me see those 3 Security Tips.

  • Sheila Atwood

    Whoa! I have a friend that said she has been hacked. I am sending her to this post.

    Thanks for the tips for checking up on our blogs.

    This is another case for back up.

  • eGruve.com

    Thanks for this valuable information. Please share more info on how to back up your word press blog.

    Thanks

  • Eric

    7. Use an Apple Macintosh

    I am bi-digital 😉 I use both Mac & PC. I have seen this countless times on my Windows machines. However never on my macs.

  • symbian user

    How wordpress will be updated if I made changes in its engine? Are they will be overwritten? Or they will be merged?

  • Satish Gandham

    Backup is the best line of defense. There’s a good post on problogger about creating a backup of your blog.
    http://www.problogger.net/archives/2009/02/12/testing-your-blog-backup/

  • Bill Masson (WWAH)

    Groan!! I hate the technical side of WordPress, i am forever changing plugins and poking around my wp security issues. I do however take the security of my wp blog very seriously. As for backup i regularly download my important data from the blog and occasionally download my SQL from cPanel. But as you say if someones determined enough then they will hack your wp blog.

    WP super cache has been an issue for me in the past because i have not set my permissions correctly. One of my plugins from MaxBlogPress was acting strange the other day, when it asked me to upgrade i clicked the automatic upgrade link, as you do, but instead of upgrading, the link redirected me to one of my old squeeze pages. I eventually just overwrit the file through my FTP and this solved the problem.

    Thanks for the tips

  • Chung Bey Luen

    Good to mention about this issue as people usually not aware of the WordPress security issue.

  • Hesham

    Thank you for the great advice, I think all blogger who are using their own wordpress blog shoudl follow it, our blogs are very important for us now as we would love to grow it more, I am just imagining if I lost my blog, I will be so very sad for sure!

    I hope this will never happened to me or to anyone of you!

  • Denis

    Hi,

    > If you want to test for this hack, you simply need to search the
    > name of your site in Google and click on the right result.

    If it’s a WordPress hack (I mean malicious PHP code), most likely you won’t see any redirect. This code usually checks if some cookie is set and resirects only new visitors. Blog owners usually have this cookie set and thus don’t see any redirects when they click on search results.

    The workaround would be to 1. clear cookies in a browser. 2. use anothe browser (if your default browser is Firefox then try IE) 3. try to click on the searh results from another computer. 4. Use a tool like wget 5. use an online tool like web-sniffer.net

    There is another type of a redirect exploit that is more popular and more wide-spread right now. It’s a .htaccess redirect.

    Hackers insert conditional redirect rules into .htaccess. They redirect search engine traffic to bogus antivirus sites. Here you can find more details about this exploit:
    http://blog.unmaskparasites.com/2008/12/05/bogus-antivirus-2009-htaccess-exploit/

    And I guess BookAdvice.net had been affected by that .htaccess exploit: the owner could see the redirects and the destination was a bogus antivirus site.

    Most likely this exploit is a result of a compromised FTP password.

  • Daniel Scocco

    @Symbian user, if you edited core WP files I think your changes will be lost.

    The best way to tweak things is via plugins, for this very reason.

  • diabetes man

    add ones again problems online created by hacker……, very serious problems……Thanks for advice and tips for safe

  • Tyrone

    Well this is really a scary issue for the wordpress blogger, I think one must be prepared for all these mischief happenings on the internet and keep changing the password.

  • Hesham

    I am a afraid this happen to me one day, this could give me headaches for sure… thank you for sharing this great information

  • Eric

    #6 is most important. Backup backup backup. I worked in web hosting once. Unbelievable the number of ‘webmasters’ that did not make regular backups of their sites.

  • johnnyjohnny

    i must ask if NOT using wordpress, but something else (that can be recommended) would help, or if this is a problem no matter what?

    thanks
    (geeeeesh, what a headache, needing to become a webmaster!)

  • SEO Quotes

    Excellent guide Daniel and a good question to ask, thanks for the information.

  • Charlotte Web Design

    Thanks for sharing the information how to make my wordpress secure. But I think it’s better to make some info on how do hackers to it a little vague. Because somehow some people might follow the steps for a try out :(.

  • Sajid

    Look like Nice but i haven’t yet problem like that. But most people have that problem they say into comments. Than if i have that problem in future I preferred this…..Thanks.

  • Sajid Latif

    I agree with you.
    Thanks for the tips.
    That theme is useful for me and hope for others also. Nice Work…

  • Sajid

    Hi, fantastic uncluttered theme
    Just want to let everyone know about a great Website Design company. “””www.cmn.com.pk””
    Thanks for the tips.

  • Latif

    Excellent guide Daniel Thanks for the tips.

  • medyum

    Thank you for the great advice, I think all blogger who are using their own wordpress blog shoudl follow it, our blogs are very important for us now as we would love to grow it more, I am just imagining if I lost my blog, I will be so very sad for sure!

  • web developer

    how about injecting JavaScripts into your web pages?

    they will run every time when someone loads your web pages.

Comments are closed.