Category: 
For the past couple of weeks, I had noticed that most of the Google ads appearing on the home page of my site were for credit card offers, credit repair services, credit-no-matter-how-much-your-credit-sucks offers, and so on … and I was puzzled about why ads of that type kept appearing. Since the ads are supposed to be contextual, it didn’t seem like any of my posts supported them — especially when I would look at other pages and the ads did seem to reflect my post content very accurately.
I was doing some general cleanup on the site on Friday evening, and ran the site through an RSS feed validator to see how it fared. That’s when I saw errors referencing hundreds of links that I didn’t recognize. It didn’t take me long to track the links to my WordPress header.php file, where I found this:
Click the picture to see it full-sized. It’s obvious to me now that Google was generating ads for my site based on this content. There were, in all, about 600 such links at the very end of header.php. I didn’t put them there, and I don’t know anything about the two sites you can see repeated throughout these links (nor did I try to find out). I removed the 600 lines of code from the header.php file, but on Saturday discovered that several hundred others had been added, referencing two different sites but similar content. In both cases, the blocks of code were surround by <font> tags that caused the text to be hidden.
If you want to see if this has happened to you, bring up your site and select View/Page Source if you’re using Firefox, or View/Source if you’re using Internet Explorer. In my case, the spam links always appeared at the end of the source listing, but you might want to page through the entire listing since I suppose they could appear anywhere.
After the second occurrence, I changed my WordPress admin password as well as my hosting login password. So far it hasn’t occurred again, but I can see that this is yet something I’ll have to keep an eye on. If I figure out how it actually happens, I’ll certainly share it here.
Leanne Wildermuth of Artist By Nature has written about the same thing, and it was from Leanne that I learned that the source of the problem was header.php:
For now, I’ve also removed most of the ads from my site, except those for Amazon.com. I may not put them back….
Comments
This entry was posted on Sunday, April 13th, 2008 at 1:22 pm and is filed under blogging. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
. I’m sorry to hear about plumbing problems at your house. I’m pretty sure that it is a quite distraction when you hope to be able to spend times on other interesting...
[...] Home and Personal Improvement…Stay tuned in your feedreader! 12 12 Comments Trackback | Permalink Filed under: Technicalities SHARETHIS.addEntry({ title: “Got Spam in YOUR Templates?”, url:”http://intricateart.com/blog/got-spam-in-your-templates/” }); Linky♥ Dale, YellowRose, Bob Walton, Tipper, Marcia, Renee, Sleeping Mommy, Taba, Lindsey, and All Adither! Similar topics (MSN Messenger) (How to Contact Google.) (Reci-Please!) (QOTD – Spam) 12 Comments on “Got Spam in YOUR Templates?” [...]
This has happened to my sites today. I’ve been struggling with it all day. I appreciate your article, it helps!
Hi, Beth.
Glad this article helped. Since I got it cleaned up and changed my password, I’ve been checking the code with View/Page Source or View/Source very day and so far, so good. If you find out anything more about how it happens, please let me know. I’ll do the same.
Thanks for coming by!
Dale
I am also being told that when upgrading – it is HIGHLY advised to completely delete everything but the wp-config file and upload the fresh upgrade to ensure any files that were hacked are gone and avoid future vulnerabilities. I have simple and detailed instructions on upgrading if you need them.
Hi, Leanne.
Please do pass along the upgrade instructions. I’ve hesitated to do it because there are some quirks with my web host (Yahoo!). They implemented WordPress by installing it for you, but then never upgraded it past version 2.0.2 (despite implying that they would). I’ve read of some users who’ve upgraded it successfully, but others who’ve had problems. Since I’m not a PHP or MySQL programmer, I don’t know if I could get out of trouble if something bad happened. And Yahoo! would probably not help.
But … I have been compiling info on upgrading because I will do it at some point, so your instructions will surely help.
Thanks,
Dale
Yikes! At least you were able to find it in your header file. I had someone hack in, and could never find the file it was in, but, it showed up at the end of the source code. Had to upgrade to 2.2 at the time to get rid of it, then deleted the entire WP backup file.
PS: that font thing is a helper. Good catch!
[...] Back in November of 2007, I mentioned that someone hacked my htaccess file, and did even worse stuff. Well, it seems that someone has done something similar to my good blog friend Beth at Blue Star Chronicles, as well as a few others, such as A Few Good Pens and Artist By Nature. [...]
I’m sorry to hear about your ‘hack’ problems, but even more pleased that you were able to solve the frustration.
Unfortunately, things like google, intenet explorer, word press, et al are high profile ‘hook’ targets simply because those things are so common.
Might I recommend ~not using googlag ad sense advertising? Amazon is a good start, but there are many other high quality, reliable ad networks. Try here for ten good choices. I chose ‘Chitika’, but it’s your preference. I was simply tired of being ‘evil’.
Thanks for the excellent list of ad sources … I’ll definitely check them out. Thinking that if I’m going to run ads here, I’d like to make different choices than the usual ones and see how it goes … your list will come in very handy.
Bye for now,
Dale
[...] I have surfed the net high and low for possible cause. Erm… actually I only surfed for 15 minutes before I can find several blogs, A Few Good Pens and Intricate Art who undergo the similar experience. [...]
Hi Dale,
I see you’re still waiting on that upgrade – here’s the link:
http://intricateart.com/blog/how-to-upgrade-wordpress/
It includes a link to a newer plugin that auto upgrades in just a few very simple steps.
Leanne, thanks. I upgraded both of my sites using the WPAU plugin last night, and but for a couple minor problems, it went extremely well. Thanks for the info and the support…..
Dale
Wow, this is pretty scary. I can understand how they could do this IF they had your WP password, but the question is, how did they get hold of it? Fortunately the attack was relatively benign in this case, in the sense they left your site running, but a more malicious hacker could have done a lot more damage!
PS: when leaving my comment, I was presented with 2 “subscribe to comments” checkboxes. Wasn’t sure which one to use, so I went for the first one. Now that the page has refreshed, the second one has been replaced by the “you are subscribed…” message, and I can still see the first one asking me to subscribe. Two conflicting plugins, perhaps?
Rod,
That’s a good question. The password I was using at the time wasn’t too complex, so I just assumed some password-cracking tool figured it out. However, I spoke with Yahoo! hosting support about it, too, and their take was that even without knowing my password, a cleverly written PHP script could have compromised the site. Their contention was that blog files just weren’t that secure, and it was a common occurrence. I wasn’t sure how much weight to give that; and to be on the safe side, I changed my password to something much more complex … and it never happened again. Lot’s of variables here, though, especially since I was only at WordPress 2.0.2 at the time. I’m sure I’ll never know exactly how it was done; but at least it hasn’t happened since.
WordPress and security can be a little confusing; what do you think of this, for example:
http://www.deepjiveinterests.com/2008/01/19/hows-your-wp-contentplugins-folder-doing-secure-are-you-sure/
Does it really matter if someone can see the contents of a directory like this? And even if it was “secured” by the method described in this post, anyone who knows the name of a plugin subfolder can still get to the subfolder, unless they’re set up the same way….
Bye for now,
Dale
Rod,
Thanks for letting me know about this; I didn’t realize it was happening. The first of the two subscribe checkboxes was provided by the Brian’s Threaded Comments plugin, and the second one by the Subscribe to Comments plugin. It took a while to figure out, because I had forgotten that “Brian’s threaded comments” required me to replace the comments.php file in my theme folder, so activating and deactivating comments-related plugins did all sorts of weird things. I’ve removed “Brian’s threaded comments” since comment threading is available with Better Comments Manager. Either checkbox subscribed you correctly, but it was odd to have two. Also, was glad to remove the modified comments.php and replace it with the original anyway, as, apparently, it’s easy to forget about the modification!
Regards,
Dale
No problem. That’s the downside of using plugins, I guess – they can interact in unforeseen ways.
I don’t really have a take on the security angle at this point – it’s not something I’ve looked into. There’s nothing like getting hacked to motivate you though! Just like losing all your files can be a good motivator for doing more regular backups. Perhaps I’ll put this on my “to-do” list.