A few weeks ago, I got an email from Google saying that my site was full of spam, and that my site was being removed from the indexes. The email contains a sample of the spam words (in my case, it was viagra, cialis, etc) Sure enough, it turned out that my blog had been hacked to include lots of words/links that were made invisible via CSS. Pretty distressing stuff.
For those of you in the same boat, here’s what I did to remedy the situation:
1) Most of the damage was in the form of obfuscated code that made use of base64_decode(xxxx). To find this code, go to the root of your site and do a grep base64_decode -Rl ./* It should be pretty easy to use your judgment about what code to remove. This code was inserted into my theme files (found in wp-content/themes/ThemeName).
2) To be extra sure, do a Google search for the offending words on your site. (e.g., viagra site:kuwamoto.org). For me, this turned up another problem with the site, which was that URLs of the form http://kuwamoto.org/?aff=1234 were being redirected to a different site (selling pharmaceuticals, natch). This code wasn’t obfuscated with base64, so I didn’t catch it in step 1. In my case, it was an extra file, so I just blew it away.
3) Look through your posts, pages, comments, etc. In my case, one of the links on my blogroll had been compromised.
4) Upgrade your WordPress installation. As recommended in the WordPress documentation, I used the automated upgrade plugin which worked like a charm.
5) Follow the recommendations at http://www.noupe.com/how-tos/wordpress-security-tips-and-hacks.html and http://sitening.com/blog/2008/04/08/wordpress-security-vulnerabilities/.
6) If you are using a hand-rolled theme (as I was), make a copy of it somewhere so it is easier to restore if it ever gets hacked again.
7) Change your passwords, and make a promise to yourself to be good from now on (keep WP and other software updated to the latest version, use SFTP instead of FTP, etc).
