Dodgy links appeared on WP site

AHarvey · 29 Jun 2015 at 12:55

Hi all,

I've been checking backlinks and keywords on our work site and noticed about a week a go that MULBERRY BAG and other odd keywords have appeared on the site.

finally managed to find them at the bottom of the homepage:

http://www.viresourcing.co.uk/

Problem is, I have no idea how they got there or how to remove them, I've checked all the files from within wordpress but I can't see anything, and I don't have FTP/sql/server access

Any advice?

Gambisk · 29 Jun 2015 at 13:39

What theme are you using, I had similar issues with a free theme that injected random adds into the page.

On Holiday · 29 Jun 2015 at 13:41

AHarvey · 30 Jun 2015 at 15:42

Well I've turned on Wordfence and deleted a user account I didn't recognise and despite the scan failing the urls have disappeared but webmaster tools are showing a load of urls on the site that I can't find in pages or posts:

/?2016-jun-6084.html
/?2016-jun-2548.html
/?2016-jun-6098.html
/?2016-jun-198.html
/?2016-jun-155.html
/?2016-jun-5449.html
/?2016-jun-6541.html

Problem is with the current setup I have no access to the database, FTP or any backend systems outside of what I can access from within Wordpress.

Having run iThemes Security I've increased what security I can through there.

antijoke · 30 Jun 2015 at 21:50

What themes do you have on there?

AHarvey · 1 Jul 2015 at 10:10

It's just a custom theme they had made, no idea on the author.

It's causing issues with woocommerce though as it's not compatible

Confused · 1 Jul 2015 at 18:22

I had something similar - have a check in the header for any "includes" that aren't in your "safe" backup - I had a line that was including "logo.gif" - but when editing "logo.gif" it was actually full of PHP and JavaScript

Then, in the footer, I had a single extra line "wp_foots();" - which was what was then exercising this rogue PHP/JS.

Then, the usual recommendations and guides apply for securing your site after an exploit - change any administrative passwords, change FTP passwords, delete all the Wordpress files (excluding "wp-config.php" and the "wp-content" folder) and re-upload a fresh copy of all the files etc (basically, any steps suggested in any number of the "remove spam from Wordpress" guides you can find by Googling)

Beansprout · 1 Jul 2015 at 23:43

There will be a rogue file being included which is intercepting URLs and showing its own junk. Check all the wordpress files in the root folder (wp-config, wp-settings, wp-includes etc) for anything suspicious.

Then search for keywords like gzinflate, eval, base64_decode and look for big blocks of nasty-looking junk

All this is kinda difficult without access to the files tho but maybe a plugin like Wordfence will help, or any plugin which will let you edit files.