How to Remove Hidden Spam Links from WordPress

by on 10/29/2009 in Security, WordPress

I recently published an article called “How to Check and Remove Malware from an Infected Website” that was intended to help self hosted WordPress blogs with this ongoing issue. Hackers are getting clever when it comes to advertising, but not in an ethical way. They’re injecting spam links in WordPress blogs in an attempt to get these links indexed in Google and other search engines.

The bad news, your blog could be penalized or excluded from Google’s index if you do not address this issue immediately.

How are hackers getting access to my blog?

In most cases, a hacker is using a brute force password discovery program to gain access to your FTP (File Transfer Protocol) or WordPress admin page. Once they gain access, they will add code in the WordPress core installation files, usually in the index.php file. The core installation files are not the theme files, but the actual installation files.

How to check for spam links in WordPress

If you’re using Firefox, go to View/Page Source. Check to see if there are any random links going to various sites that are usually related to drugs, gambling, porn, etc. These links are usually at the open <body> and/or closed </body> tags of the main index page.

How to Remove Spam Links

If you have a self hosted WordPress blog, upload the core installation files which will over-write the existing files that currently reside on your server. After the new files have been uploaded, check your source code on your index page and see if the malicious links are gone. If you’re using Firefox, go to View/Page Source.

You should also do the following:

  • Change your WordPress admin password (Use no less than 8 characters with at least one number, one uppercase character and a special character)
  • Change your FTP password
  • Check your .htaccess file/s for any malicious content and set the file permission (chmod) to read only
  • Protect the ‘wp-config.php’ file and ‘wp-admin/install.php’ file by adding this to your .htaccess file:
  • # PROTECT install.php
    Order Allow,Deny
    Deny from all
    Satisfy all

    # protect wpconfig.php
    <files wp-config.php>
    Order deny,allow
    deny from all

  • Download and install the Login LockDown plug-in

The Login LockDown is a WordPress Enhanced Login Security Plug-in. It records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Have a question? Post a comment.

7 Responses to “How to Remove Hidden Spam Links from WordPress”

  1. HART (1-800-HART)

    Oct 29th, 2009

    actually, that’s a good question .. what should the Chmod permissions be on .htaccess?

    Before, you had to set it to chmod 777 and then do the permalink update and WP changed permissions. Does it still do that? I know i have added text/commands/ etc to my .htaccess files at times, then go in and do a permalink upgrade … Does that set it right again?

    • Frank J

      Oct 29th, 2009


      Set chmod to 644 for your .htaccess file.

  2. USB Fan

    Oct 29th, 2009

    If hackers will use some cloacking methods, can we see those links in page source?
    When i had this kind of problems i used a firefox plugin: User Agent Switcher. With this we can see a webpage as googlebot

    • Frank J

      Oct 30th, 2009

      User Agent is a great plugin. You should also try Firebug as well.

      • USB Fan

        Oct 30th, 2009

        Thx for tip. I’ll give it a try :)

  3. Thanks for the post. It just teaches us that we shouldn’t be complacent about our blogs. I like to ensure that my blogs are backed-up regularly so that if anything happens at least I can get the site back up and running again.

    • Frank J

      Nov 1st, 2009


      You are right! Blog owners with self hosted WordPress blogs need to keep a watchful eye on there files.