WordPress hacked by Viagra Sellers?

Posted on Apr 16, 2010 in Blogging
WordPress hacked by Viagra Sellers? We were facing exactly the same problem: someone hacked us. At some point we were getting a lot of messages from friend saying: Since when are you selling Viagra? We were kind of confused as we did not see any Viagra messages.

What happened there?

The hackers were somehow able to alter our homepage. Suddenly everywhere Viagra appeared, not for the logged in users though, only for the admins.That’s also the reason why we did not see it, the hackers altered wordpress in a way that only logged in users saw the spammy advertisements.

Caused by the SuperCache Plugin

We checked for potential dangers and figured out that this was caused by the plugin WP-SuperCache. We had to set several folders to CHMOD 777 and it seems like the hackers were then able to modify the cached files in order to show their Viagra ads. Disabled that plugin immediately removed all the Viagra ads from the site.

Dangers of being hacked

Luckily we identified the problem quickly but this can have serious consequences for you and your brand.
  • You can lose valuable customers
  • You damage your brand due to Viagra appearing on your website
  • You can be deindexed by Google due to Viagra spam
We are still waiting for Google to fully respider our website in order to have all the original content reindexed. This will take some time.

Update: Malicious code identified

After moving our site to a new server I was able to identify the code causing this problem. In the general-template.php the attacker placed “require(ABSPATH.’../cgi-bin/secure’);”. I just commented that code and everything is back to normal :).Sorry for confusion we may have caused.