WP Hemingway Theme Spamlink Hack

At some point years ago (around the time of WP 2.8), I realized that one of my WordPress sites was infected with a case of “spamlinks”. Far offscreen (something like 9000 pixels to the left), was a list of links to various iffy neighborhoods of the internet.

Of course, I looked into the theme (files in the wordpress back office) I had at the time (not really sure that it was Hemingway, but that’s the theme I have now) and I saw nothing. I sleuthed around for a brief time and then forgot about it since it didn’t compromise the site and I didn’t care about what the search engines thought of me for it.

Over the years, I checked in on my spamlinks from time to time and found that they seemed to be changing and even absent at times.

I did some googling on the topic and came up with nothing.

So, I remembered it again today and this time I mean business. So, here we go. Here’s what we know:

  • ¬†two very large style files and a short, innocuous-looking (with no links) javascript file magically appear, under certain circumstances, at the very top of the document (at the top of the <head>).
    • I can see them there in the developer tools of Firefox if I “inspect element”, but they are gone if I view page source.
  • the secret seems to be that the links are hidden in the style files and the js fishes them out and puts them on-page.

And here are some things we could try:


May 20th update:

We haven’t figured out where the css and javascript is coming from. However, we’re going to stop working on it because of these things:

Leave a Reply