At some point years ago (around the time of WP 2.8), I realized that one of my WordPress sites was infected with a case of “spamlinks”. Far offscreen (something like 9000 pixels to the left), was a list of links to various iffy neighborhoods of the internet.
Of course, I looked into the theme (files in the wordpress back office) I had at the time (not really sure that it was Hemingway, but that’s the theme I have now) and I saw nothing. I sleuthed around for a brief time and then forgot about it since it didn’t compromise the site and I didn’t care about what the search engines thought of me for it.
Over the years, I checked in on my spamlinks from time to time and found that they seemed to be changing and even absent at times.
I did some googling on the topic and came up with nothing.
So, I remembered it again today and this time I mean business. So, here we go. Here’s what we know:
- I can see them there in the developer tools of Firefox if I “inspect element”, but they are gone if I view page source.
- the secret seems to be that the links are hidden in the style files and the js fishes them out and puts them on-page.
And here are some things we could try:
- View all links on the page using a browser add-on
- check your server logs and ftp logs
- google “how to find spam links hidden on a page”
- backwards evals and base-64 code
May 20th update:
- We looked in 4 different browsers, and could only find evidence of the hack in 1
- Google says the site is not dangerous as of the last crawl
- Isithacked also provides a fairly detailed report saying it is fine (Actually, this site first showed that the site was fine, but now it says that Chrome and the GoogleBot are being shown different information. I don’t think this is a problem, it appears that googlePageSpeed is showing the favicon link differently.)