Wordpress Pharma Hack

Someone kindly emailed me to point out that my writing site had been hacked. Links for Cialis were now appearing scattered throughout the text.

A quick Google search revealed that this was a common hack, and was probably the result of some rogue code embedded in a file after a brute force attack. I ran a site security check (there are many free services if you search for them) which suggested that the problem was located in wp-config.php. I could have paid for a clear up, but taking a look at the file in question it was clear the code wasn't exactly trying to conceal itself. Once snipped out, my site's performance improved immediately.

... or so I thought.

A few days later, the adverts reappeared. This is a clever hack - snip out the code and it regenerates itself.

There are various flavours of the Pharma Hack, (a search for Wordpress Pharma Hack will give you all the details you need and more) the one that hit me had added an innocent looking file: /wp-includes/init.php

I only discovered this after I'd deleted all my themes and plugins and installed fresh versions of wp-admin and wp-includes. When I restarted the site, the following message appeared at the top of the page:

include_once(.../public_html//wp-includes/init.php) [function.include-once]: failed to open stream: No such file or directory in .../public_html/wp-config.php on line 93  

Checking line 93 of wp-config showed the offending line (I've surrounded it with **s):

** include_once(ABSPATH . '/wp-includes/init.php'); ** 
require_once(ABSPATH . 'wp-settings.php');//Disable File Edits  
define('DISALLOW_FILE_EDIT', true);  

I removed the line, reset my passwords, including the database passwords, reinstalled my plugins and (hopefully) that's it.

I should have noticed this sooner, of course, but I've not been blogging recently as I've been concentrating on finishing my next novel.

Even so, I must hold my hands up and admit that I've not given my sites the attention they deserve. I've installed some security software following a quick search for Wordpress security plugins on Google, I'll take some time to monitor what's going on in future.