This morning I made the startling discovery that an important WordPress site belonging to one of our clients had been hacked.
A Little History
If you’ve heard me speak in the last 5 years, you know that I’m a huge believer in the power of content marketing. We regularly recommend and teach business blogging basics to our clients. We have no desire to turn them into bloggers per se, but we’ve trained them that producing fresh, high quality content is a fantastic way to achieve visibility online and even provide fodder for social media outlets like Facebook & Twitter.
So… one of our clients who hired us to build out their WordPress site and for whom we’ve provided a fair amount of training and coaching for some time now began to experience a decline in search engine rankings. In their case, WordPress is installed on a separate domain from their main website. Their main website was historically not performing well from a search engine point of view (although it was great from virtually every other perspective when it was built), so WordPress was being used as a way to help prop up the main site. And it worked. Really, really well.
Imagine my surprise, then, when this particular site began to drop in the rankings for no apparent reason. Nothing had changed that we could tell. We did a little research and paid attention to what the competitors were doing and could see nothing significant enough to account for the change. It was very much an anomaly, because all of our other clients who were doing what we trained them to do were doing just fine.
So today, quite by accident, we found the culprit.
The WPRef Plugin
We were reviewing a piece of content before it got published when we discovered that a couple of the links had a rel=”nofollow” attribute. The content writer who was working on it had no knowledge of how to manually create that type of link (we certainly don’t train people to do that… especially for links that are created intentionally for search engine purposes!), so we knew something was up.
I inquired a little further to find out where the link had come from, and the answer was, “I copied it from another post.”
Hmmmm…. well… I assumed at first that something had crept its way into an earlier post and perhaps it had been duplicated a couple of times. I wasn’t looking forward to hunting down the original link. As I heard someone say recently, it’s like looking for a needle in a needlestack! But then I noticed that there was more than one link acting that way. So… I used the WordPress “preview” function to take a look at how the new post would look, and decided to “view source code” to see if the changes I’d made were taking effect.
That’s when I noticed this:
Every link within the content had been modified with a and a rel=”nofollow” sitewide.
That would be a problem. The site’s being running for a while and there was a significant amount of content.
Digging a little deeper, I found that a plugin had been installed and given the name “WPRef”
We had backed up and upgraded the site to the latest version of WordPress on February 3rd. So… we checked our backup and found that the plugin was not contained in it. On the server, we found (via FTP) that a file called “wpref.php” had been copied to the /wp-content/plugins folder on February 10th.
Not only had the plugin been placed in that folder, it had been activated.
Checking a little deeper, we discovered that the plugin’s only function was to add a tag and a “nofollow” attribute to every outbound link in the site’s content.
This amounts to a very specific, malicious attack. The only purpose of it can be to cause Google (and other search engines too) to ignore the site’s links.
Needless to say, I was infuriated. We’ve taken steps to harden that particular site. All my searching and other efforts to find evidence that others have encountered a hack like this have turned up nothing. It appears that (at least for now) this is a one-off, one-shot hack job. It’s hard not to believe that this site was specifically targeted on purpose.
The amusing thing was that the plugin added an options panel into the “Settings” menu. Within that, it output a bunch of gibberish, including some Russion domain names.  In the “Active Plugins” area, it purported to have “code.google.com” as its “plugin site” and its author was listed as, “Sergei Brin.” I was so distracted by the infuration and frustration of the whole thing that I failed to recognize that it wasn’t just a Russian-sounding name to match the other Russian references… it’s the (botched) name of the famous Google co-founder.
Humorous.
So… we’ve saved a copy of this little piece of php code. Obviously, we’ve removed it from the site in question and have tested the site out. Our links are back to normal now. Presumably, this client’s search engine rankings will return back to their prior positioning. Actually, since the rankings were declining, we’ve stepped up the game for this client with some additional efforts and so the rankings should actually move higher than ever. So… if this was, in fact, a malicious attack which singled out this particular business… the plan has backfired.
Thanks. Whoever you are.