A few days ago, we became aware of an issue with a WordPress website that we manage, where a spam blog post appeared on their blog overnight. The particular topic of this blog was “The Ultimate Guide to Online Dating” and linked to a gay dating app called Hornet.
A bit of research showed that several websites had the exact same posts injected, which you can see a summary of on Google here if you look through the SERP’s. A browse through the first 5 pages on Google shows vast volumes of websites that have been affected and there are a staggering 519,000 results showing up for this search.
What seems to be happening here is a spam bot is injecting the post onto websites via SQL database injections, which are troublesome as they are not logged anywhere and there isn’t a way to trace them back. The odd thing we’re seeing too through some research onto other affected sites, is that there doesn’t seem to be anything in common, such as themes, plugins or hosting. You usually find with this type of attack that it is linked to a corrupt theme or plugin, but not in this case.
This particular injection seems to be pretty new, and so it’s most likely a WordPress vulnerability that hasn’t been pinpointed or patched yet, as there isn’t much public information about it at the moment. We’re monitoring the situation closely!
The good news is that the posts don’t appear to be coming back once deleted. What’s alarming is there are a number of sites out there that have this content on their blogs and have still yet to become aware of it.
Luckily for our client, we caught this early (before they even noticed it) and managed to take immediate action, as we actively monitor their website and scan for anything malicious.
What to do when your WordPress site has been attacked
In a case such as this, the first step is to first ensure you have the tools in place to become aware of the problem. Clearly, there are high volumes of websites out there that are not being proactively managed or monitored. WordPress gets a bad reputation for its security, however, we find the issue mainly comes down to bad maintenance, if the sites do not have appropriate monitoring and updates.
The second step is to troubleshoot the issue – look into your logs; what’s changed, how has this got here? Try to find the anomaly that could have caused the issue.
The next step you’ll need to take is to remedy the problem. In this case, it’s fairly simple as the blogs can just be deleted. Depending on the type of hack will depend how you will respond to other issues in the future.
Finally, as the old saying goes: prevention is better than the cure. It’s recommended that you make sure you protect your WordPress site and ensure it is protected as much as possible from these types of attacks. There are a number of companies out there who can help to keep your website safe and up to date, to minimise your chances of attack.