How I got around a WordPress code injection

A friend recently had her WordPress site hacked. Viewing the source code revealed a <div style=”display: none;”></div> tag in the header, with a bunch of spammy links within that div. I took a look at both the code and the database, but as I haven’t had much experience in looking for injection (and the Google research I did was less helpful than it could have been) I didn’t really find much. There might have been some sort of SQL injection somewhere, which inserted javascript such that it always displayed in those divs. The links would change on page refresh, and every once in awhile there were no links, just that div tag, so my assumption is javascript.

As I mentioned, I never found a way to actually remove the script itself, since I couldn’t find the script. But, I did surgically remove the script from the template, as it were. Pretty basic, actually, once I narrowed things down a bit. I just went into the part of her template setup that was generating the page headers, and found wp_head in that code. Rather than having it print the entire thing, I exploded wp_head, splitting it at the “<div” and “</div>” tags. There’s no legitimate reason any plugin would stick div tags in a header, so it’s unlikely there’d ever be more than that one set in there. Now, the template prints everything before the “<div” and after the “</div>”, but nothingĀ in-between, thus removing that injected code from the front-end display of her site.

I also gave her some advice on how to make her WordPress install a bit secure. Unfortunately, whatever that code is is still in her install somewhere. I’m crossing my fingers that all it’s capable of doing is grabbing spammy links, so hopefully there won’t be any more troubles with her site in the future.

Leave a Reply