The bad guys have been busy this month!

Sev­eral of our clients had their Word­Press blogs hacked. A mal­ware Javascript was used to load bogus sites was injected into the page footers.

How can you tell if you have this prob­lem on your Word­Press site or blog?

This par­tic­u­lar script, is easy to spot from how your site reacts even though it is not vis­i­ble in the con­tent. When you visit your site [or blog], instead land­ing at the top of the page where you would expect to start, the script imme­di­ately takes you to the bot­tom of the page instead. If it does this, then there is a strong like­li­hood you have this mal­ware on your WordPress.

If you use Fire­fox for your web browser, you may get an ugly warn­ing page that your site has been reported as an attack site. Not fun. You will not be able to access your site at all… anywhere. This can make it harder get to rid of the prob­lem because you may not be able to access your site admin area. Internet Explorer did not block entry to the sites because of this particular malware.

What should you do if this has hap­pened to your WordPress?

If you can access your Word­Press admin area using your web browser, then it’s rel­a­tively easy to get rid of the mal­ware script. This par­tic­u­lar exploit only affects one file, named footer.php.

You can edit this by going to Appearance=>Themes=>Editor and open­ing this file in the edi­tor pane. The files are all listed to the right hand side of the pane.

Now you edit the footer.php file to remove the script. It will look like this screen­shot of the one we removed from sev­eral sites.

Screen­shot of mal­ware javascript

Select the entire script with your cur­sor being care­ful not to touch any­thing else. Delete it and save your changes. Your site is clean again.

WARNING: If you needed these instruc­tions, you are not some­one who should be doing this on your own and we so we wouldn’t nor­mally rec­om­mend you even attempt this your­self. But it’s sim­ple dele­tion so we thought we’d include it here. Even so, if there is any doubt in your mind about whether you should be doing this your­self, get help. If you don’t have a web per­son, con­tact us for help

If you are one of the unlucky ones who have been reported as an attack site, you will need to sub­mit your site to Google for it to be declared clean oth­er­wise vis­i­tors may not be able to access your site for some time.

It may be cleared with­out sub­mit­ting it but it will def­i­nitely take much longer. Post­ing right away and each day for a few days will alert the search engines to spi­der your site and find a clean, mal­ware free site.

Stay tuned for our next posts where we will dis­cuss how to sub­mit your site to Google Web­mas­ter tools for review and what you can do make your Word­Press more secure from this type of an attack.