A 12-step program to send your out-of-control blog to rehab

If your blog has been hacked, your first indication is when it starts acting like it’s in the late stages of particularly noxious drug addiction. Your once mild-mannered blog is a now a nasty Hollywood tart, reeling around, blowing toxic breath in random stranger’s faces, accosting people in the street and making depraved sexual suggestions, showing up at high-society events and flashing its naughty bits, and letting complete strangers fondle its database and cram noxious javascript code into its secret places.


At this point, you can either choose to slaughter and revive your blog (i.e. delete everything and do a clean re-install), or roll up your sleeves and start hunting down the rogue bits of code that are turning your blog into Britney/Lindsay/Paris. No matter what, you should back up your WordPress blog by using the WP-DB-Backup plugin.

However, there is no guarantee that even if you go for the nuclear option, that the virus snippets won’t have wormed there way somewhere into your database, and will just pop up again (which is what they did to me – repeatedly) when you restore from the backup. This is why I reluctantly armed myself with some PHP manuals and started digging around in the guts of my blog.

If your blog has been infected for a while, it may have already affected your Google page rankings; in some of the links above, you’ll see that they started getting de-listed by Google because they looked to the bots like pr0n0 spammers. It can take quite a while to recover from that; the whole thing reminded me so much of the by-now ubiquitous Hollywood paradigm of getting clean & sober that I broke it down into a 12-step program.

Step 1: Realize that we have a problem; then admit that we are powerless over what our blog is doing, and that is has become unmanageable

The first notice I got that some of the WordPress blogs that I use (and administer for others) had been hacked was when this strange code started showing up in the permalinks.

Kinda strange, right? Looks at first glance like some little bug with the extended permalinks function...


Usually, when you choose long permalinks, that’s to give Google’s bots the chance to find & index your content correctly.  But no prob, I thought: just go on in to Edit Post mode, and delete the code and re-save it.

Curious. I saved it with the real permalink and it turned up with some strange gobbledygood at the end anyway. Wonder if that’s having any kind of effect on the blog. Better check it in Google Reader.

Step 2: Come to believe that we are going to have to take serious action to restore the blog to sanity

Holy Sh-Nikes! Where did this come from?

Man, you never want to see this associated with your blog. This is screaming sirens, flashing lights, all spelling out "VIRUS ALERT!"

If you don’t get a jolt of adrenaline at seeing something like this where your blog contents are supposed to be, you don’t understand the gravity of the situation. This kind of pharmaspam is absolutely deadly; it usually comes from Eastern European hackers, and it means that the infection is serious.

Step 3: Made a decision to appeal to the higher powers – Google (and the WordPress codex, as we understand it) to find the answers

One of the first things that I found was a long thread about how hackers register themselves as users.

Sure enough, look at the number of users. Also look at the number of admins.

Step 4: Made a searching and fearless inventory of the renegade users

I went through page after page, hoping that I would be able to figure out which were the responsible, decent users, and which ones were the identities of the various spambots that were using my blog like a passed-out sorority girl in Satan’s frat house.

A lot of them were easy to spot – they had the various names for the erectile dysfunction drugs as their “@blahblah” addresses.

5. Admitted to ourselves that we had been remiss in updating the blog

OK. I admit it. I was afraid to update the blogs because we’d installed some customized plugins, and I didn’t want to have to futz with them if they broke. Saved some real time, eh? Now I was spending hours going through my blog(s) trying to figure out what had happened.

As you can see, I started this whole process back when WordPress was still at revision 2.8.4.  Oh, the shame!

6. Became entirely ready to get rid of these freeloaders

Cry havoc! And set loose the delete function!

7. Ruthlessly removed the false admins

These were where the hackers put their admin identities. All the way down at Z, where I had to trudge through hours of checking and deleting the other users to get to them. While I was in here, the hackers were trying to get back in to add more users. It was a race to see who was faster...

I couldn’t believe that the hackers were trying to add more users to the pile, to slow me down. I managed to delete enough of them to get down to the Z’s, where their admin identities were hidden. And then I deleted those. Success!

…or so I thought.