WordPress Hacking Help
The WordPress Hidden Spam Link Hack (the same as the Joomla hidden link hack) uses negative positioning which pushes the spam links above the page content and cannot be viewed by the naked eye.
The hack is usually just after the opening body tag and looks as follows:
gia vang, seo, bao ve viet nam, bao ve viet nam, etc, etc.
The WordPress hidden spam link hack is wrapped in the div and h3 and can be found in the header.php file in your wp-content directory wp-content/themes/your-theme/header.php
The hack is easily identified by viewing the page code or viewing the cache or text version. Translate links next to the snippets in the search results are a sign of a hacked site and at times even display the spam in the snippet.
If not amended it will only be a matter of time before the algorithm nails you for hidden links resulting in your site been filtered from the search results. Google’s WebSpam Team could also take manual spam action and flag your site as been hacked and remove it from the search results.
The hacker targets all your sites hosted on the same account. The last hack I removed entailed 2 sites. The one site was Joomla, the other site was build with WordPress. Both sites were hacked using the same technique.
The hacker does not create new directories or files, they hack existing WordPress files, which in this instance is the header.php which echo’s the spam on all pages throughout your site. The first step is to update your existing platform and plug-ins which might remove the hack. If you using an updated version you would need to remove the obfuscated PHP code from wp-content/themes/your-theme/header.php
To identify which template you are using, right click and view your page code. Once identified navigate to your control panel (public_html) and open the “wp-content” directory, then click on “themes” and open it, then open “your-theme”. The header.php file resides inside “your-theme” folder. It is advised you download a copy (precautionary act) then remove the entire obfuscated PHP code from the opening div to closing div and save the file.
Then navigate to Webmaster Tools (if you don’t have an account open one using your Gmail account) and view the page with fetch as Googlebot to make sure the hack has been removed, then submit your index page to index (including all links) That will force a re-crawl resulting in Google amending the search snippets (it could, however, take a couple of hours to days to reflect)
Once you have removed the hack you need to change all your passwords (host login to your control panel, FTP password and platform password) and it is advised to run a security check on your computer.
Depending on the hacker would depend on the location of the infected file and method used. At times hackers create new files which makes it more difficult to locate and leave files on your server as doorways to re-hack the website. In this instance, the hacker uses the same technique and hacks the header.php file located in wp-content themes.
If the site has been flagged in the search results as hacked its best you also check Webmaster Tools for a malware warning. Google try to protect internet users and at times will flag hacked sites for malware due to the possibility of the hacker returning and injecting the site with malware.
If flagged for malware you need to file a malware review in Webmaster Tools.
Google also suggest you remove hacked sites/pages from the search results by using the removal tool (not via blocking robot.txt) while fixing the hack or malware issue, and only re-include the pages once the hack is fixed. This is to protect the innocent and to avoid users clicking on hacked or malware sites.