Watch out for hidden SPAM on your WordPress site!


Recently I had a case where my client reported me about suspicious links on his corporate website which was built using WordPress. Immediately I was thinking that site got hacked and I was preparing myself for gruesome backup tasks.

Luckily this attack was easy, although very clever. It just changed header file and included another file which was masqueraded as part of WordPress and it was placed into wp-includes directory. File name was class-ajax.php, which is very similar to another files in this directory.

So header file included this kind of code:

and class-ajax was just static file which included advertising:

Obviously I replaced all the actual links here ๐Ÿ™‚

How this code works and why it is effective?

This is well-known SEO-trick. It means that most search engines cannot understand, what kind of content your website has, it only can read html and include results into search index. But for you, as a user it is not visible, because it uses CSS-trick to hide advertising block. You may only notice something if you have installed an anti virus software, which has http traffic monitoring built in. Anti virus will warn you and it may tell that website may be dangerous.

How this attack was carried out?

Very hard to say, because WordPress is actually very vulnerable. It will become even more dangerous if you are using custom plug-ins โ€“ they may have very bad quality and hackers may use them to carry out attack.

Personally I think that this attack was carried out using xmlrpc.php vulnerability. This vulnerability is fixed in WordPress 3.9.2

What should I do to make my WordPress site more secure?

  1. Ensure that automatic updates are not turned off
  2. Use as few as possible plug-ins. Always check for plug-in rating.
  3. Keep your eye on security releases.
  4. Use complicated password and user name, which is not โ€œadminโ€
  5. Check that most file permissions are only readable and writeable for owner (644)
  6. Use anti-virus software, which has http traffic monitoring built in and occasionally check your site
  7. Study how to make your WordPress more secure

But even if you are following most security rules, this still does not mean that your site is safe. You should still occasionally back up your site if you are using WordPress.