WordPress sites destroyed in new link spam attack

A new malicious hack injects spam links into the database of older Wordpress installs
Brian Turner
Brian Turner -


Pharmaceutical link spam is now being directly injected into WordPress posts, in a massive new hacking attack targeting out of date installs.

A Google search suggests that millions of pages are potentially affected already.

WordPress owners are advised to update to the latest version of WordPress immediately.

Unlike previous attacks, which sought to only modify WordPress files, this new wave of attack directly injects masses of links into the posts table of the database.

The result is something that looks like this, which comes from a stock market report at NYSE-news.com:


Normal repair methods - such as uploading a new version of WordPress, or reuploading theme files - will not correct it.

Even worse, a script has been uploaded to the database to autogenerate the links, so even if the links are removed manually from posts they reappear.

In fact, the only way to remove the attack is by uploading a previous database backup - or else remove the spam manually post by post or through the database directly.

Due to the way the links are formated - large numbers of domains, different target pages, different anchor text - the result is that many of the links are unique and therefore even a “search/replace” repair is rendered almost as laborious as a manual post-by-post edit.

Unfortunately, chances are most people will not have database backups, and the sheer scale of the links injection means such sites may be more likely to be abandoned than repaired.

WordPress hack attacks

Out of date or poorly patched software has been routinely targeted by hackers, either manually or through automated methods.

As WordPress has gained in popularity, so it has been increasingly subjected to automated attacks - scripts set up to run through search engines looking for signs of out-of-date installs, or other security vulnerabilities.

Previously hack attacks on WordPress have sought to overwrite either theme or software files, to insert hidden links, redirect traffic, or even generate completely new content over the top.

In all of these instances, while annoying at best and distressing at worst, usually the website could be recovered through re-installing WordPress with the latest version, or replacing the theme files.

While some hack attacks could very difficult to isolate and remove, not least when hackers upload a file to hide among existing files and auto-hack a site, in all incidents the database usually remained secure.

Not any more - which means when this new form of hack attack is used on a website, all existing posts are utterly compromised.

The site owner is then left with the option of laboriously editing every single post, or else completely abandoning the website.

The expectation is that the latter will be the more common outcome.

Sadly, the destruction of target websites is of little concern to these hackers, who are only interested in short-term affiliate revenue from these pharmaceutical links.

SEO hacking and short-term gains

Ostensibly for “SEO” purposes, these link spam hack attacks aim to manipulate Google’s search ranking algorithm, which regards links on websites as like a “vote” for the site or page being linked to.

In other words, the hackers think that by hacking websites in this manner, they can boost the positions of their own websites in Google.

This is potentially very lucrative, especially in high-value industries such as pharmaceuticals.

This does not put off orgnised gangs of affiliates, however.

Google frowns on attempts to manipulate its algorithm and will ban sites which overtly try to do so.

This means that the hackers create websites only for the short-term, to last months, weeks, or even just days, before they are kicked out of Google.

The aim is to make as many affiliate sales as possible during the window they operate.

The short-term thinking of the hackers means that even if the sites they hack are destroyed, deleted, or taken offline, it does not matter to them, because their own websites are already dying themselves.

Even worse, these hack attacks are not the work of lone individuals working on their own initiative, but instead commonly believed to be organised criminal gangs in Russia and Eastern Europe.

In other words, this is a whole growing industry of cyber warfare with big potential commercial gains.

And caught on the front lines are people who run websites, for hobby, personal interest, or even business, who make the simple mistake of not keeping up to date with their WordPress installation.

In the meantime, the most important thing WordPress users can do is ensure their installs are up to date, and full backups are made regularly where possible.

Post a comment

Your email address will not be published. Required fields are marked *


Visited 2931 times, 10 so far today