Yesterday a new client approached me about problems with his WordPress blog. He wasn’t particularly explicit:
My Wordpress site is starting to do strange things, Pages dropping off. Can’t post etc.
So off I went to have a look. The biggest problem was a sudden inability to post new items or to edit existing Posts or Pages. I could open an existing post, make changes and click Save, Save and Continue Editing or Publish — each with the same result: a completely and utterly blank Admin page, and a failure to have actually changed anything.
The hidden porn
My next step of course was intensive and extensive troubleshooting and investigation. I did a hundred things, including much Googling and searching WordPress forums, but one of the first things I did was to View Source on my client’s blog Home Page.
There I discovered two particularly interesting things:
- A link to ‘prepaid phone cards’ above the content. This isn’t the kind of link my client would include. Suspicious.
- Approximately 170 hidden links to porn sites. This is definitely not content my client would deliberately include in his blog. About 120 links went to one domain, the rest to another.
Had the blog been hacked?
It was looking as though my client’s blog had been hacked. But first, a bit more about those hidden links.
For starters they were hidden: visitors to the page couldn’t see them, but View Source made them all visible, and they were evident in the RSS feed.
At first I thought they were some kind of comment or trackback, but I eventually found them attached in the body of the most recently published post. They were prefaced with this interesting HTML that effectively hid them from view:
<font style="position: absolute; overflow-x: hidden; overflow-y: hidden; height: 0px; width: 0px"><!--4848-->
Somehow a spammer had accessed my client’s blog and added these links to one post. And maybe a spammer had added the cellphone spammy link to his theme. I downloaded a fresh copy of the theme he was using and checked. That spammy link was not in the original theme. The spam link was also hidden via embedded CSS:
<div style="display: none" id="ads">
The Visual Editor hides all
My client has the Visual Rich Editor turned on, and probably uses the Visual view to write posts. Guess what! Those porn links are invisible in that view. He wouldn’t have known they were there! I knew, because I clicked on the Code tab, as I always do. In Code view they were immediately obvious.
I deleted the porn, clicked Save, and struck the bug my client had originally complained of: an inability to edit posts. It wasn’t going to be that easy to get rid of the porn. So next I had to solve his Save problem.
But that took me the next day, so I’ll write about it in another post.
And finally, here’s what Daniel Jalkut, the developer of my favourite, MarsEdit says about WYSIWYG (what you get with the Visual Editor):
There are a list of classic things that are wrong with WYSIWYG editors. They over-promise and under-deliver. They’re not actually that easy to use. They mess up your HTML, and often outright eliminate content. I don’t want to make any of those mistakes. That’s what makes the feature hard, and that’s the reason users haven’t seen it yet in MarsEdit.
[Via : The Daniel Jalkut Interview.]
The moral of this story: even if you like the Visual editor, at least look at the Code view — you may be surprised at what you find.
Popularity: 28% [?]
Confused? You've found you're at KnowIT when you expected to be at TiKouka at MacTips? The blog has been moved over here and you were automatically redirected. Found something broken? Please let me know.
is jointly authored by Miraz Jordan and Maria Langer.
{ 2 comments… read them below or add one }
Is there a follow up post to this? I’d like to know how you fixed this!
I cleaned up his Theme files to remove all spam links. I updated WordPress and all the plugins. I renamed xmlrpc.php.
From memory, that did the trick
Leave a Comment