homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

Someone hacked my site and Google dropped it from its search index
Automotive site

 5:39 pm on Oct 27, 2009 (gmt 0)

Today I got a message from Google that one of my sites had been hacked and indeed I am seeing lots of hidden text at the bottom of each page when I look at the source code.

The site is a wordpress blog. How can I get rid of this text? It appears on every page.

I can only resubmit for inclusion after gettiong rid of this text. I have very limited coding knowledge. Also, what can i do to prevent this from heppening in the future.

I should have made a backup in the last few days so I could have restored to a previous state before this happened, but my last backup was probably weeks ago since when I have added lot of content.

By the way, its a quality site and there is no way I would cheat myself by spamming it with hidden text because the site makes me a bit of money from adsense and affiliate commission, not much but around $200 a month.

Thanks for any help and suggestions.

Also, is there anyway way of knowing who might be resposnible for this? I have a fairly good idea but don't want to accuse him unless I am 100% sure.



 6:41 pm on Oct 27, 2009 (gmt 0)

Our Google Search forum is not really the place to look for Wordpress technical help - I'd suggest checking wordpress.org for technical information. If you're weak in technical knowledge, you may need to hire some help.

But I will address some of the Google aspects. A lot of information is already available here: How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]

There is currently even more server hacking going on than ever before. To repair the damage, you need to do more than delete the injected code from the pages. You need to make sure you are running the most up-to-date version of WordPress. When a way to hack any version is discovered, the news spreads quickly through the spam-and-scam world.

If you don't keep the software updated, then someone will be hacking you again. Let Google know that you've updated the software in your reconsideration request - that's a help, and it's something that they look for.

Automotive site

 8:31 am on Oct 28, 2009 (gmt 0)

When you say keep the software updated, do you mean install the latest version of Wordpress (since in my case I am using Wordpress) or other updates as well that Wordpress release?

My site is in fact running on an older Worpress admin, so the first thing I suppose I must do is install the latest one.



 1:40 pm on Oct 28, 2009 (gmt 0)

Yes, I mean always keep the latest version of Wordpress installed.


 3:24 pm on Oct 28, 2009 (gmt 0)

This happened to me and it turned out that I had some folders set to 777 and somebody came in from the back door. People go and get accounts at popular shared server hosting and look for people with bad permissions to exploit. If you are on a shared server anybody else on that server can see all your files and if you have the wrong permissions they can also make changes to them. You can look at these permission from you ftp client. Just right click on a folder and hit permissions or properties or something like that depending on your ftp program. There is probably a place to do this in your control panel as well. These hidden links might be in your template. Download a new template and make it active and see if the hidden links go away. If this is the case just delete all your templates and install the same ones again from a fresh download.

Automotive site

 4:28 pm on Oct 28, 2009 (gmt 0)

Well, I have myself to blame a little for this because this happened to the same site a while back (7 or 8 months ago) and I should have upgraded to the newer version of Wordpress and made regular backups.

The only problem is that this time (unlike the last) Google took me off the search results only hours after sending me an email. I think they ought to give people couple of days at least for them to try and and sort it out. I think this is a little unfair on genuinley hardworking webmasters who have to suffer through other peoples stupidity.

Anyway, I think I am going to move the site to my main host as well because, like someone said earlier, there may be a fault with my host who possibly have a loophole that the guilty party was able to take advantage of.

Again, thanks for helpful suggestions guys.

Automotive site

 9:13 pm on Oct 28, 2009 (gmt 0)

Also, would anyone know which file I can locate the hidden text when I log into the cPanel? The hidden text appears on all the pages right at the bottom (the same text) when I view the source code of the pages.

Or, would it be impossible to know unless someone checked first.


 11:57 pm on Oct 28, 2009 (gmt 0)

try footer.php in your themes folder


 12:49 am on Oct 29, 2009 (gmt 0)

Are you sure the message came from Google?



 2:55 am on Oct 29, 2009 (gmt 0)

We had the exact same thing happen to an old site that we neglected for some time. At least it sounds exactly the same. The problem is due to spam comments and and old version of wordpress.

1. Upgrade to the latest version of wordpress

2. Go into myPHPAdmin and delete all spam comments from the database. Even if you have no experience using myPHPAdmin (or similar) you should be able to do this pretty easily by searching for instructions online.

3. Go into webmastertools and let Google know what happened and that you have elminated all spam from the site.

Basically, you have to go into the database to eliminate the spam from the site. It is not present in theme files (such as footer.php) but is in comment form.


 9:23 am on Oct 29, 2009 (gmt 0)

Basically, you have to go into the database to eliminate the spam from the site. It is not present in theme files (such as footer.php) but is in comment form.

Perhaps there could be additional spam in the comments. However, from the description of the problem:

The hidden text appears on all the pages right at the bottom (the same text) when I view the source code of the pages.

Then I would suspect the footer.php


 9:56 pm on Oct 29, 2009 (gmt 0)

Not necessarily, aakk9999.

SQL Injection, if it succeeds, replaces the content of all SQL record fields it can get at. I'm not saying that's the case here (it doesn't sound like SQLI), just that it's possible.


 12:16 am on Oct 30, 2009 (gmt 0)

I see your point, dstiles - I should have been clearer I guess and say that footer.php should be a starting point in debugging.

If no offending text is found in footer.php then inserting some debug text at the start of footer.php and end of footer.php will show if the offending text is in between these or before/after these and then follow up functions called and narrow the things down.

I just wanted to point OP to what I believe would be the correct starting point in finding his hidden text.

Automotive site

 1:46 pm on Oct 30, 2009 (gmt 0)

I did locate it and removed it but a day later the links are there again. Have removed it again, but would anyone know how can put an instruction in the footer file that would stop these links appearing again.

I actually removed the files from the index.php file through the cPanel, but it looks like they would have been in the footer file as well. I am going to upgrade to current Wordpress, but is there a way to put a piece of code that would block someone from entering hidden links even though the links might be infected by the way of spam comments.


 4:05 pm on Oct 30, 2009 (gmt 0)

You probably just need to changes the permissions (chmod). Ask your host for help if you are unsure how to do this.


 3:55 pm on Nov 6, 2009 (gmt 0)

Do a thorough scan of your hard drive. You may have something that gets passwords to your ftp program.
Change your passwords and logins.
Also, hacked content tends to be either just on any pages called "index" or it's on every single page. The most common locations are right after the body tag or at the very end before the close body tag.
Consider too changing web hosting companies. Some are more secure than others.


 4:09 pm on Nov 6, 2009 (gmt 0)

Make sure your own PC doesn't have a virus.
There are virus today that use FTP from your own PC to update your sites.


 5:07 pm on Nov 9, 2009 (gmt 0)

Make sure your own PC doesn't have a virus.
There are virus today that use FTP from your own PC to update your sites.

EXACTLY what happened to my bro's computer. I have about 12 sites on my server and, of course his two, sure enough that fake antispyware sniffed his FTP and hacked it to show in .html files and such. I was a loooong line of JavaScript and I found out it would go to a site that would put that on other's computers. What a mess. It took me over a day to fix the files and get the crap off. Caught it in time to not get hit by Google.

I changed the passwords for his FTP and told him not to keep it on his computer anymore as he hasn't learned how to be safe yet. Thank GOD he didn't have FTP to some of my other sites! PHEW.

How it "sniffed" out his FTP passwords IDK. They were very strong passwords too! Those people really piss me off...


 10:27 pm on Nov 9, 2009 (gmt 0)

Some FTP clients save passwords in plain text. If you don't use SSL on FTP then all info, usually including passwords, is sent in plain text. Add one keylogger spyware app to the user's computer...

Also check that the FTP server does not have any exploits listed for it. One well-known one did a few years ago.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved