As in most things…the guy who throws up WP blogs by the dozen is the last guy to check his own. (the cobblers kids have no shoes, et al).
Confession Time:
EricOnSearch is my blog. It also is my business site. My site disappeared from Google’s radar about a week ago. Still indexed, but did not rank. How do you know it is a penalty? Typically, it won’t even rank for search terms like ericonsearch …not many people going for that one! (grin)
While search engine traffic is not the be all and end all for my blog, (most people who come there come from a post I have written or a comment on another site), since search engine work is a big part of what I do, getting no Google love is not cool.
Time to Investigate:
What I found was that my site had been hacked. And neatly inserted into my footer file were about 300 links to meds, poker and porn! How do you find it? In your blog, you can go to either “presentation” or “design” and then click on “Theme Editor”. If you look at BOTH the “header.php” and the “footer.php”, but there is a SIMPLER method. Here is a link to an “outbound link checker”. The reason that spammers spam is to get hidden links from your site to theirs. Go to this link checker and enter your url into it and run it… (Note: Eric Bramlett is working on a NEAT little plugin that will monitor OBLs and let you know via email before it becomes a search engine issue.)
If you see a bunch of links to bad neighborhoods, then you have an immediate issue.
Even if you don’t have an immediate issue, you still need to take action.
One of the best posts that I have found with an actionable list of what to for Word Press security is this one. I recommend taking the steps indicated here and in following the needed links from this page to find more info. As it says in the comments, step #9 can cause some grief.
An easier way for those not quite so tech savvy is to install and run the WP-security scan plugin. It does not accomplish everything on the list, but it is a good start. There are plenty of helpful directions.
We can expect that WordPress is going to get hacked more and more due to its popularity. When so many bloggers use it and they rank well in the search engines, it is an almost too much for the script kiddies to resist, not to mention blackhat spammers. How do we protect ourselves? Stay up to date. Stay protected.
If you need any assistance with beefing up your security or adding the plugin, I have limited time, but will be happy to assist where I can. Shoot me an email!
Greg Swann says:
Oh, bless you, Eric. This is great. Thanks for doing this.
June 22, 2008 — 6:57 am
Sean Giorgianni says:
Awesome post! Thanks for pointing us to the right tools, Eric. Question (and this is where my amazing mind of jell-o is revealed): how do I remove the links that the tool revealed to me? I found three.
June 22, 2008 — 7:42 am
Eric Blackwell says:
@Sean – Thanks.
In Theme editor select the file header.php or footer.php (and check the bottom of the frame to make sure it says “UPDATE” (otherwise, the file may not be editable.
The links are typically contained in the section that says <a href…… and ends with . If you delete that whole string, the link should be gone.
If you want to make sure you are OK, just shoot me an email will a copy/paste of the file and I will highlight the part to delete and send it back to you.
Best;
Eric
June 22, 2008 — 7:50 am
Eric Blackwell says:
sorry the greater than and less than got hashed out of the comments. just shoot me an email with it and I will show you. It is not a big deal and easy to do.
Happy to help.
Eric
June 22, 2008 — 7:52 am
Trace says:
Eric, what a bummer. Another way to check your own site is by using google and searching for “site:ericonsearch.com viagra” substituting the last word for what you are looking for…..
http://www.google.com/search?hl=en&q=site%3Aericonsearch.com+viagra&btnG=Search
A couple points that I think readers might find useful: 1) What was the root cause you found? Old version of WP? Bad Plugin? This is key information.
2) Although you say the site is still indexed, just not ranking, it is essentially delisted…. I would request google to reinclude it, I’m not seeing you rank yet…..
http://www.mattcutts.com/blog/reinclusion-request-howto/
June 22, 2008 — 11:23 am
Eric Bramlett says:
Eric –
Great post. JMO, but the wp-security scan plugin is pretty worthless. We’re working on a really sweet app that’s going to help out a ton with this problem – and thanks for the mention!
June 22, 2008 — 11:27 am
Ryan Ward says:
I was had with this too. However, not in my files, but, instead in a post. Whoever did it, used display:none for their links so the only way to find them was to “view source” and find the posts they inserted links into. Then, simply edit the post in html mode and you can see them to delete them
About 50 links.
June 22, 2008 — 6:59 pm
Eric Blackwell says:
@Trace- trust me. already did that. Reinclusion request was filed Saturday. For inlookers, do not be afraid of communication with Google. They are probably getting quite a few of these. They understand.
As for upgrading…gonna do that shortly. Been a long weekend full of business. I have quite a few of these to do.
Important note when communicating with Google. Make sure to include screenshots and all other needed details. They are experts. You need to be as well.
@Ryan – exactly. the display:none is a technique that hides the links so that they are not visible and is used in almost every one of these spam jobs.
@Bramlett – Thanks for using some of your resources to help others. As we both know, there are a lot of these hacking attempts going on right now and more to come.
June 22, 2008 — 7:43 pm
Eric Blackwell says:
One more point to go along with Trace’s well made ones… If you have to do a reinclusion request, be OK with the fact that it takes time.
The google dudes are not just sitting on their hands waiting at an 800 number for your request. They are busy and if often takes weeks, not days.
Again, am I worried about this in my case? No. I do not get that much traffic from them anyway. I figured it was the perfect site to use as a demo for others (although I hate making myself the example of what not to do-grin. For someone with a wordpress blog that runs their entire real estate website, it could be an economic hardship.
June 22, 2008 — 8:14 pm
Trace says:
Good deal. I figured you had already requested inclusion…….
One solution folks can look at is are third party packages like: http://firewallscript.com/wordpressfirewall.htm if they don’t have a firewall they trust…..
June 22, 2008 — 8:43 pm
Sue says:
Eric, thanks for this info. Using the two methods, I don’t see anything. However, I am confused with Ryan’s post…does this mean I have to “view source” on each post?
June 22, 2008 — 9:16 pm
Ken in Chicago says:
Eric that sucks! Good thing that site doesn’t produce the income needed to keep food on the table. Make sure to do a follow up post about the re-inclusion request and the results. Would help a few people I am sure.
June 23, 2008 — 9:58 am
Eric Blackwell says:
@Sue- Yes, that would be a good thing to do…but if you are using 2.5.1, you ‘should’ be ok.
@Ken – Count on it. Sometimes the best things we can get out of our own mistakes is to serve as a warning sign to keep others safe. I’m cool with that.
June 23, 2008 — 10:11 am
Susan Zanzonico says:
Eric…I’m on 2.3.1, this is more risky?
June 23, 2008 — 11:54 am
Wayne Long says:
Thanks for the info Eric. It takes guts to openly admit issues. Glad you were able to find the problem. It will be interesting to see how quickly big G will re-include you. I would hope that it would be right away under these circumstances.
June 24, 2008 — 3:35 am
Eric Bramlett says:
Does anyone know if the links will show up in the outbound link checker when the links have the “display:none” or similar attributes?
June 24, 2008 — 11:08 am
Ryan Ward says:
Yes. That’s how I found them.
June 24, 2008 — 11:17 am
Morgan Carey says:
Glad to hear you got it figured out, when I got your email last week, I took a quick look, but had planned to come back and get more thorough – How goes the re-inclusion letter?
June 24, 2008 — 11:28 am
Eric Blackwell says:
@Bramlett – as ryan said, yep works like a charm.
@Morgan – hey man! Yeah, the reinclusion letter was sent last Saturday. So far no word, but I am sure they are going to get hit with more than one of these…
To date, i know personally of about 20 blogs with many more out there that were attacked…so I am sure there are going to be quite a few reinclusion requests.
Thanks again. Hope all is well in Nanaimo!
Eric
June 24, 2008 — 11:53 am
Eric Bramlett says:
@Susan
Yes.
June 24, 2008 — 11:56 am
Eric Blackwell says:
Sorry about not seeing your comment Susan…I was in a hurry! thanks Bramlett for the pick up.
Best;
Eric
June 24, 2008 — 12:41 pm
Susan Zanzonico says:
Ugh…I didn’t see anything on the outbound link checker, but I’ll look again. I’m guessing it’ll be obvious. My blog is hosted on REW, does that make a difference in any way…I am hoping a good way.
June 24, 2008 — 8:10 pm
Eric Bramlett says:
It doesn’t matter where you’re hosted. If it’s a WP blog, you’re vulnerable. WordPress has gotten so popular that hackers are targeting it.
June 25, 2008 — 2:33 pm
Susan Zanzonico says:
Thanks Erics…I’m upgraded. Since my blog is hosted on REW, do you know if I can freely pull in plug ins….activate or should I be careful about that..might there be compatibility issues. If you know..
July 1, 2008 — 4:04 pm
Eric Blackwell says:
I think you should be fine in doing the plugins. I have all my stuff hosted on my own servers, so i do it a bit differently.
I have found 2.5 to be pretty plugin tolerant. Typically, the problem is between the plugin and the theme and not with 2.3 vs 2.5. That having been said, put them in one at a time. If something goes wrong, simply deactivate the plugin. If something prevents you from logging in, go to the plugins folder and delete the plugin and you should be “back to good”.
Best;
Eric
July 1, 2008 — 4:12 pm
Eric Blackwell says:
BTW- Progress update…I was back up in Google about a week after the reinclusion request. This helps make my point that they do in fact understand the needs of webmasters and as much as possible will be helpful when you find yourself in a bind like this.
Communication with them is the key.
Best
Eric
July 1, 2008 — 4:15 pm
Susan Zanzonico says:
Eric, I’m glad to hear your back up with Google!
Regarding the plugins, thaks for the info. I did a couple “little” things and it seemed to go smooth. It seems much more user friendly. My question is if it won’t let me log in, can I “get to” the plugins folder? I’ve been doing all that stuff after I log in.
July 1, 2008 — 4:24 pm
Eric Blackwell says:
Thanks, me too!
That is above my pay grade (grin). I am not a customer of Morgan’s. I am just a friend and a moderator on his forum. Fire that question over there at REW and I am SURE someone will answer quick on the forum.
I would think there would still be a way to login, but I do not know. I use regular old FTP and go straight in and delete files…I am not sure how Morgan sets you guys up with that…
July 1, 2008 — 4:35 pm
Susan Zanzonico says:
>>Fire that question over there at REW and I am SURE someone will answer quick on the forum.
Yes, you’re right. Thanks and Happy 4th to you and all!
July 4, 2008 — 8:01 pm