New WordPress Hacking Strategy Using Cloaking to Target Google IP Addresses

Stay Protected

An ounce of prevention is worth a pound of cure.

If you want to prevent any of your WordPress blogs from getting hacked make sure you keep your software up to date, and follow other basic WordPress protection strategies, like – securing your admin folder, removing the WordPress version number from your theme’s header.php file, creating an index.html file in your plug-ins directory, and removing other common WordPress oriented footprints like a “powered by WordPress” signature in the page footer.

Get an Early Warning

Another thing you can do to protect yourself is to get an early warning if/when your blog does get hacked. You can subscribe to a Google Alert for viagra OR cialis OR levitra, and so on…as Patrick explains on Blogstorm.

If one of your blogs gets hacked fix the others before it is too late. Some plug ins make it easy to update/re-install WordPress.

Stopping Comment Spam

Not quite as bad as full hacking, but comment spam is still annoying. There are a couple good plug ins to help prevent comment spam as well, including Akismet and Spam Karma.

Other easy suggestions on this front are to require a captcha and force first time comments to be moderated before appearing on the site.

Google IP Address Targeted Hacking + Cloaked Spam

One of my blogs was recently targeted by a blog hacker that inserted links into the site that could *only be viewed by GoogleBot*. You typically would not notice such a hack unless you subscribed to a Google Alert for your site, saw yourself ranking for some of the spam terms, and/or when your Google Search Traffic started to fall.

The issue with such a hack is that it is hard to know if you wiped it out, even if you update everything. When you use Firefox’s User Agent Switcher you still will not see the links because you are not surfing from one of GoogleBot’s IP addresses.

In fact, for this particular hack you can’t even see the links on Google’s cached version of a page unless you view the text cache version of the page.

Once you click the text only cache link tons of pharmacy links appear in the page footer. This screenshot was taken from a Texas Instruments blog post on security and safety

Google currently has indexed over 20,000 pages with this particular hack.

How This Type of Hack Influences Google Traffic

Earlier this week one of my writers who loves blogging complained that search traffic was dropping slightly, and then after a few days of minor decay the search traffic was cut in half. Keep in mind this site gets much of it’s traffic from organic links.

Our Google traffic started to fall off slowly, and as more of the pages with spam in them got indexed the fall off became sharper. After a week or so traffic may be a small % of what it was…or if they just spam a couple pages the change in traffic may be so minor that you never notice it. The traffic decay rate depends on…

  • the crawl priority of your site (how frequently it gets crawled)
  • the number of pages you have on your site
  • how bad your site gets spammed (number of spammy links and pages, etc.

You can see what portion of your site got hit by searching Google for “spammy footprint” and comparing that count to the total number of pages Google shows indexed for

How to Clean Up Your WordPress Blog

Regular updates are a plus to make it easy to revert to a prior version if needed. And if you find yourself upgrading software after a hack make sure your server is clean (save old files elsewhere) and install fresh. You probably want to change your database and WordPress passwords after upgrading, and if you are not sure where the hack was you may also want to change your theme.

There are a lot of different ways people can hack into a WordPress blog. Some spam hunting ideas include…

Using SSH to look for recently modified files and/or weird new files that were added to your site. Some hackers may also add files to the root of your site, or above it hidden somewhere on your web server.

Some hacks may be via a WordPress plug-in. If you have inessential plug-ins installed see if others have complained about them getting hacked, and see if you can remove them. I think some hackers that get into WordPress go so far as adding plug-ins that position spam throughout the blog.

If your database contains spam in it then you can run the following MySQL query (from Michael VanDeMar) to find many of the most common types of WordPress link hacks.

SELECT * FROM wp_posts WHERE post_content LIKE ‘%

If you can’t find any spam in your WordPress database, then…

  • look for files that have been added or modified
  • back up your files and database
  • disable plug ins
  • delete all files (except for maybe your config file and .htaccess file – and verify those have not been edited as well)
  • update your blog to the newest version of WordPress
  • change your MySQL password and your WordPress password
  • install a new theme
  • download necessary plug-ins from their original sources if you want to keep using them
  • make sure you performed all the steps at the top of this article to try to keep your blog safe.

If The Hacker Was Using IP Cloaking…

If the hacker was using IP cloaking you can’t be 100% certain that the spam is gone until Google tries to index new pages on your site and/or re-indexes old pages that were hacked.

You can find files that have been indexed in the last day or last week by using Google’s date based filters.

If you updated your blog a few hours ago you can also do a regular search on Google and set the results to 100 per page to find any pages that have been re-indexed in the last few hours. Once the search results come up you can search the search results page for hours ago.

One note of caution is to check the actual page’s cache date at the top of the page. Sometimes when a cache is really new clicking on the link will show you the new page, but sometimes it will show you a cached page from a few days back. When you see a new cached page without the spam links hopefully your spam problems are almost over and your site is on the road to recovery, with rankings improving as Google caches more pages from your site.

Remember to set up a Google Alert for your site so you can track if any spam links magically re-appear.

Your Turn

I have only had a couple blogs hacked in my many years of blogging. Did I miss any obvious tips and/or wisdom you can add to the above post?

More: continued here


Admin / Webmaster for A+ Computer Professionals, and its website located at