An old WP site that I kind of forgot about, I just did a site: search for it in Google and all the results were talking about Cialis.

When I view the site it looks just fine, but if I do a view source there is some

<!–start-add-div-content–> <p class ="nemonn"> bullshit in there and a bunch of Cialis links.

It doesn’t actually show up on the site, but it’s there in a view source, and obviously Google is seeing it since that’s all it shows in the SERPs now.

How should I fix this?

Is this my fault or my host’s fault?

edit – seems I’m not the only one:

I found the code was added into header.php.

Once I restore it to a non-hacked version, am I good to go? I updated to the current WP and current version of the 2 plugins I’m using.

I changed themes and deleted the old one.

I let the host know but haven’t heard back yet.

grep -iR cialis .

Not sure how to do that. From what prompt do I type in that search?

The only other thing that seems weird is my Sitemap plugin doesn’t seem to work correctly anymore. When I add new posts, it doesn’t immediately pick them up. I deleted it and reinstalled it and it generated a new sitemap with all my posts, but now when I add new posts again, it still won’t pick them up.

I don’t think that plugin is related to what happened, though, because I use that plugin on dozens of sites and it works fine on all the other ones, plus it’s one of those popular plugins that everyone uses. I just happened to notice that it’s not working correctly on the one site that was attacked.

Update wordpress often and all the shitty plugins more often lol

Serious. KISS as well, look at directories and see what has changed recently in plugins.

Had to rebuild from scratch one of my old sites too. Was testing a bunch of shit, had lots of plugins I was trying out, didn’t delete them all.

One of the common app level exploits is symlink issues. This may be the case if you feel WP is updated as well as themes/plugins.

The ability for symlink attacks should be rendered useless with a good config and checks. You may try to find ‘sym’ or sym/root.

Though with WP there is no telling. I try to stay with only a few personally. W3 Total Cache, Quantcast/Analytics, Sitemaps/Robots, and Hupso.

3.5.1 seems to have addressed some security issues that were effecting a good deal of people.

What I do:

Go through the logs, look at everything to see where the hole was..

– Have a Full backup.
– Delete Entire WP folder/server.
– Re-install WP.
– Upload WP theme/contents
– Restore database by reupping it.

… Full 100% restore in under 10 min (depending on DB size).

Even W3 Total Cache was vulnerable.. Heads up but look into this if you haven’t… Lots of sites getting hacked over it.