Did you ever notice a link on your WordPress website or blog that you didn’t put by yourself? Did you face the fear that your website or blog might be hacked by some unknown hacker(s)? Can you share your experience here? I mean, how do you feel at that time? Yesterday night I found a link just under the “Search Form” section of this blog. I didn’t put that link there so I had no idea how that link appeared on that place! I was 100% sure my blog was injected with some malicious code :(. I was angry and of course frightened last night. I never tried to hurt someone with this blog so why one would try to inject my blog? I am working too hard on this blog, you know that right? Anyway, in this post I am going to show you how I remove spam injected link from my wordpress blog.
Today, I leave all my tasks and sit down to fix this error. First, I mouse over on that link, right click on the mouse and click on “Inspect Element” to see the source code on my browser. I can clearly see the link was placed in searchform.php file but actually it was not there! I log in to my blog and from the editor panel I check searchform.php file but it was fresh! No ugly hash code was there. Then I noticed there were several updates required (4 plugins and 4 theme updates). I had WordPress 4.0.1 installed and needed to update it to 4.1. I updated it from 4.0.1 to 4.1 then I deleted all browser cookies (history) and refreshed the blog but spam link was still there. I then deactivated all the plugins and again deleted all browser cookies and refreshed the home page but unfortunately spam link was still there. That time, I started update the plugins and activating one by one. Each time I was clearing my browser cookies and refreshing the page hoping to see the link gone but no luck! At that stage, I got the picture – surely it’s not plugin or update issue.
So I started searching on Google to fix this issue. I found one blog post that was really helpful. Here is the link: How To Scan Your WordPress Website For Hidden Malware
After reading that post I scanned my blog here: http://sitecheck.sucuri.net/ but it didn’t show anything suspicious for my blog. Hackers are very intelligent (I have respect for white hat hackers), free site check up tools sometime fail to track the malicious codes.
As I didn’t get anything fruitful, I installed “Theme Authenticity Checker (TAC)” plugin (This plugin can scan all of your theme files for potentially malicious or unwanted code). With the help of TAC tool, I got a trace of a file called “timthumb.php” having base64 code (While I was searching in Google, I read many articles and came to know about base64 code). I removed that file by using Filezilla
With a great hope, I deleted again all my browser cookies and refreshed the page but that ugly link was still there! I was shocked and had no idea what to do next. Definitely there were other files affected as well. So I installed another WordPress plugin called “WP Antivirus Site Protection” and scanned my blog. This plugin scanned my whole site and like “SUCURI” it didn’t find anything suspicious.
But it showed a message:
Please note: Hackers can inject malware codes inside of the normal files. If you delete these files, website can stop to work or will be not stable. We advice to send request to SiteGuarding.com for file review and analyze.
So I contacted SiteGuarding.com and they were asking me to upgrade. After the upgrade they would manually search my files and prevent all injected files/codes. I forgot to mention one thing earlier, I contacted Sucuri.net support team as well to check my blog and fix the issues but they replied same thing like SiteGuarding.com
Both SiteGuarding.com and Sucuri.net are very reputed and millions of users around the world are using their services to protect their websites, blogs, and forums from Hacking, Brute Force or DDOS attacks but I just didn’t want to take an instant decision. Moreover, I wanted to fix this thing by my own! I want to learn the new thing! Hopefully I will choose either one of them for my blogs and websites in the future but not today (to be honest I don’t have the budget to upgrade now!).
Though SiteGuarding didn’t give me exact information about malicious code containing files but I got an idea which files I need to check manually.
Fortunately, I had back up copy of my server files (took full backup several weeks ago, in the meantime I had uploaded several new blog posts. I didn’t want to upload old back ups and re-effort on those posts. Moreover, I wanted to solve this problem) and I downloaded these up to date files into a new folder. I then installed Winmerge software in my laptop. WinMerge is an open source sofware from sourceforge.net. It is basically a differencing and merging tool for Windows – able to do comparisons visually, and makes it easy to merge documents.
After installing Winmerge, I started to check my newly downloaded files with the old ones. Please note, I had updated my plugins and themes this morning so some changes were expected. I compared the old files with the new files but didn’t see any suspicious codes.
As I was unable to find the error codes, I again installed a new wordpress security plugin called: “Antivirus” – Antivirus is a free plugin which can scan website theme files every day for malicious code or spam. Like other security plugins, Antivirus didn’t find anything suspicious for my blog!
I then started checking my template files manually from Admin Dashboard -> Appearance -> Editor panel. I was searching for that suspicious link and when I opened functions.php file I got the ANSWER! Please note, I didn’t see the spam link (that I was searching for in each file under Editor panel) but I saw base64 type codes. As I had previous back up copy of fuctions.php file, I checked my old functions.php with the new one and found my guess was right! Moreover, I saw two new files in the editor panel (League_Gothic-webfont_new.php and prettyphoto_indesit.php) and surprisingly these two files were not showing in Filezilla (I closed filezilla and logged in again to recheck + I reconnected several times). These two files were actually hidden under Font folder and CSS folder that I traced from the Editor panel. As far as I know, Font folder and CSS folder should not contain any .php or .html files. So I removed those two files from Font folder and CSS folder. After that I uploaded old functions.php file and refresh the page with a lot of hope. Finally that link was gone! I was feeling very happy & lucky at that stage. My hours of research is now successful. After seeing the link is gone, I immediately change my WordPress Admin as well as FTP password. I thought to share this experience with you guys. Hopefully this post will help many people facing similar problem. However, it’s not the end. I might face same trouble in the future (I truly wish not) and I can take a look at this post to get help.
Lastly, I want to say, I am not a coder nor specialist in tracking suspicious codes. I think I was bit lucky to fix this. I didn’t delete any files unnecessarily and I took all steps very carefully. I want to suggest you please don’t follow my steps and don’t delete any files without depth monitoring. Because if you do so, your website might stop working or become unstable. Choice is totally yours. To save your time and remain stress free you can take service from Sucuri.net or SiteGuarding.com. Like I said before, I wanted to solve this problem by my own and had some budget issue so I left all my ongoing tasks and put my effort to solve this, but surely I will take Website Firewall from Sucuri.net or SiteGuarding.com in the future.