A 12-step program to send your out-of-control blog to rehab
At this point, you can either choose to slaughter and revive your blog (i.e. delete everything and do a clean re-install), or roll up your sleeves and start hunting down the rogue bits of code that are turning your blog into Britney/Lindsay/Paris. No matter what, you should back up your WordPress blog by using the WP-DB-Backup plugin.
However, there is no guarantee that even if you go for the nuclear option, that the virus snippets won’t have wormed there way somewhere into your database, and will just pop up again (which is what they did to me – repeatedly) when you restore from the backup. This is why I reluctantly armed myself with some PHP manuals and started digging around in the guts of my blog.
If your blog has been infected for a while, it may have already affected your Google page rankings; in some of the links above, you’ll see that they started getting de-listed by Google because they looked to the bots like pr0n0 spammers. It can take quite a while to recover from that; the whole thing reminded me so much of the by-now ubiquitous Hollywood paradigm of getting clean & sober that I broke it down into a 12-step program.
Step 1: Realize that we have a problem; then admit that we are powerless over what our blog is doing, and that is has become unmanageable
The first notice I got that some of the WordPress blogs that I use (and administer for others) had been hacked was when this strange code started showing up in the permalinks.
Usually, when you choose long permalinks, that’s to give Google’s bots the chance to find & index your content correctly. But no prob, I thought: just go on in to Edit Post mode, and delete the code and re-save it.
Curious. I saved it with the real permalink and it turned up with some strange gobbledygood at the end anyway. Wonder if that’s having any kind of effect on the blog. Better check it in Google Reader.
Step 2: Come to believe that we are going to have to take serious action to restore the blog to sanity
Holy Sh-Nikes! Where did this come from?
If you don’t get a jolt of adrenaline at seeing something like this where your blog contents are supposed to be, you don’t understand the gravity of the situation. This kind of pharmaspam is absolutely deadly; it usually comes from Eastern European hackers, and it means that the infection is serious.
Step 3: Made a decision to appeal to the higher powers – Google (and the WordPress codex, as we understand it) to find the answers
One of the first things that I found was a long thread about how hackers register themselves as users.
Step 4: Made a searching and fearless inventory of the renegade users
I went through page after page, hoping that I would be able to figure out which were the responsible, decent users, and which ones were the identities of the various spambots that were using my blog like a passed-out sorority girl in Satan’s frat house.
5. Admitted to ourselves that we had been remiss in updating the blog
OK. I admit it. I was afraid to update the blogs because we’d installed some customized plugins, and I didn’t want to have to futz with them if they broke. Saved some real time, eh? Now I was spending hours going through my blog(s) trying to figure out what had happened.
6. Became entirely ready to get rid of these freeloaders
7. Ruthlessly removed the false admins
I couldn’t believe that the hackers were trying to add more users to the pile, to slow me down. I managed to delete enough of them to get down to the Z’s, where their admin identities were hidden. And then I deleted those. Success!
…or so I thought.
CONTINUED IN PART 2…