Over the past few days, I’ve been helping out someone with their blog as it’s become compromised by some nasty injection code. This code is in his php files, in his content, and his database. I have no idea how it happened except that his plugin and theme folders had a permission level of 777. On top of that, I discovered some malicious themes within the themes folder containing the base64 encrypted code which I believe to be the hidden spam links.
I told him to do a fresh install the first time around which is what he did via Fantastico only to have the problem resurface. Again, the themes and plugin folders had a permission level of 777 and I found out this was because of a plugin he had installed called One Click Updater.
Currently this plugin only uses direct file access to update and install plugins/themes, so you’ll need to make the “/wp-content/plugins/” and “/wp-content/themes/” folders writable by PHP for this to work.
Either he didn’t know he could do the same thing in WordPress since version 2.7 or core plugin upgrades didn’t work. In any case, I believe the permission level to be a source of the problem. As it turned out, his database was clean but certain files located within rogue themes were injecting the encrypted code into all of his content which was only viewable by checking the source code of the site. In the end, I finally exported his site via the WXR export feature, gave him a fresh install of WordPress, imported the WXR file and told him to stay 5 miles away from the One Click Update plugin or any plugin that needs permissions for folders to be 777. Once his fresh site was online, all traces of the spam links were gone meaning his database was clean, his WXR file was clean, and he was a happy camper.
Now you might be wondering, why didn’t this guy do all of this himself? Well, he is in a unique situation where the only thing he owns is an N95 phone powered by S60. He maintains and writes content for his blog all through this phone. It’s his only connection to the digital world. So, uploading and doing things that come easy on a desktop PC is not so when all you have is a handheld phone. I give this guy a lot of credit.
To bring this back full circle, I encourage you to read Chris Coyier’s experience where he explains how his notable site CSS-Tricks ended up with hidden spam links within the content of the site and how he was able to get rid of them.
I guess we should be checking the source code of our own sites more often?