The past three weeks my WordPress blog got hacked two times. As a regular visitor nothing seemed out of the ordinary, but if you searched Google my blog seemed as a the best drugstore in town (Generic cialis – We Always Have The Cheapest Offers In Our Online-Drugstore). Each and everyone of my blog-pages had corrupted html-title tags or title-id’s (only when viewed through search engines!). Thanks to Google Alerts I found out there was something strange going on.
After a lot of searching (nothing mentioned on the web), finally found the problem. Seemed like my WordPress plugins got edited without my knowledge into base64_encoded hidden code which was then parsed with the php eval() function.
This is what it looks like…
@eval(base64_decode("JGFjdD0iaW1nIjsgZ2xvYmFsICRhcnJfdG...")); ?>
I found different entries in the following plugins: wp-spamfree / rss-import / syntaxhighlighter and so on. I changed all passwords to my site (webspace and databases) and deleted the infected files. Many of those files had changed permissions! I found unknown references to *.bak.php files inside the wp_options database table autoloading various scripts.
Fingers crossed that this won’t happen again. I will keep my eyes on Google / Bing and other search engines to see if my site keeps attracting unwanted visitors.
Google Labs was the only place giving me on the fly information of my cleanup-progress. Unfortunately Google Labs has a request limit on a week to week basis. I haven’t found a similar functionality in BING. So if you reach the request limit, you’re out for the next 7 days…
To give your wordpress some additional security you can password protect the wp-admin directory with .htaccess and .passwd.
If your WordPress gets hacked too, leave me a message if you encounter similar problems. I still don’t know how these files got changed in the first place.