Someone contacted us today with a fun job. Their WordPress website had spam in it. Their feed had spam in it as well. It was linking to some site that sells, um, performance enhancers.. 🙂
WordPress and WordPress feeds are commonly targeted for exploits. They did not deface the site, and the owner only found out about it after seeing their exported feed on Facebook posting something he had never seen before.
Why did they do this? It is a form of black hat SEO. Building a mass amount of links to a site can help it’s performance, briefly, in the search engines.
The poorly written spam injection was causing other parts of the site to malfunction. The solution, hire us. We do not advertise it on our website yet but since we work with WordPress we have run into this many times. WordPress is a target since it is so popular. Also, people set it up with poor security, and have outdated plugins, poor folder permissions, and many other problems which are just an invitation to the bad guys who are scouring the Internet looking for holes.
Securi SiteCheck is free and will instantly tell you if your site is infected. This particular website we were working on was infected with what Securi identified as MW:SPAM:SEO. Many sites on the Internet suggest that you can remove MW:SPAM:SEO just by looking around in the header.php or body.php for the links. This site did indeed have a compromised header.php, but how were the bad links getting in to the feed? The database. The MySQL database had been compromised.
To repair this we needed to access phpMyAdmin, download the database, manually clean out all of the bad stuff, and import it back in to phpMyAdmin.
After the site was spam free we updated anything that was out of date, removed some old plugins, secured the site, and made a fresh backup.