so zarkill.com recently fell victim to a hack that inserts linkspam into the template. i had been running an old installation and didn’t do many of the recommended steps to secure the software so i was like “oops my bad, i’ll go ahead and upgrade”. (thanks for the tip from brendan, a friendly stranger.)

so i did, and figured that was the end of it, but then BAM! the next day, there was more linkspam in the template. so i was like WTF, and started looking for some answers.

there are a lot of general guides to protecting your wordpress installation, but there was nothing specific about “wpfooterz” which appeared in the code comments before my particular linkspam. i saw a few people asking about it on forums, but no one had any real answers except “google it”, which just made me go “what do you think i’m doing, you dick”.

but i did find a few articles which suggested some things to look for – for instance, malicious code can be inserted into your theme that can make the linkspam come back even after you delete it all. so i started downloading my theme files so i could run a text search on them. lo and behold, before i was even finished downloading, my symantec antivirus actually flagged one of the files as a “hacking tool” – so i figured that must be the problem.

the file was called “locals.php” which must have been inserted into my theme folder during the time i was running an unsecure old installation. it is not a legit theme file. but since upgrading wordpress doesn’t overwrite themes, it survived the update and continued to re-insert the linkspam into my template.

i removed this file and HOPEFULLY that will take care of the problem. i hope this public service announcement will help anyone else who keeps getting the “wpfooterz” linkspam, because i couldn’t find any other specific info about it.

look for the locals.php file, which is full of malicious code, and get rid of it. then make sure you’ve got the most up-to-date version of wordpress and i guess it never hurts to go ahead and change your admin password. also i’ve learned that it’s a good idea to have an admin username other than “admin”, and make sure your wordpress tables have a prefix other than “wp_”.

hope that helps someone.

This entry was posted on Thursday, July 2nd, 2009 at 8:23 am and is filed under updates. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.