Welcome to WebmasterWorld Guest from

Forum Moderators: keyplyr & mack

Message Too Old, No Replies

WordPress Hacker Best Practices & Malicious Code Site Audit

When hiring offshore developers, how can I best protect myself re: hacking

5:55 pm on Sep 15, 2009 (gmt 0)

New User

5+ Year Member

joined:Sept 15, 2009
posts: 3
votes: 0

Hi folks,

My dev skills are minimal, and as a result, I need to rely in offshore web developers to help me configure my sites.

I hired web developers from India on Odesk to help me fix my half baked website redesign project that was abandoned by another developer I hired. The guy I hired (who had 5 star reviews) said that he was the "Project Lead" and that another developer would work on my site, under his guidance. I was a little annoyed by the bait & switch, however, I checked out the company's portfolio of sites, which included some I recognized, checked out the source code for SEO friendliness & hired them.

Not only did these guys leave the job unfinished, I discovered weird code added to one of my blog posts, with the edit log indicated that he was the last person to log in (code shown below).

As I'm somewhat new to this (please provide your answers in an easy, step by step noob friendly way):

1) Any idea what this code is and what it does? I did a Google search off a snippet (LeoHighlights_iframe) and find many sites that appear to have this code.

2) What best practices do you recommend when hiring and providing admin access to an offshore web developer sourced from Odesk or Elance?

- I gave him access to my entire public_html folder. Was this wrong? What ought I do in the future?

3) How do I scan or audit my website for malicious code?

4) Looking at this developer's code - it looks messy and I will still need to hire yet someone else to finish the job and clean up the code, resulting in more expense & headache.

Any tips on how to hiring & vetting offshore developers? I have had such bad experiences hiring India & Pakistan contractors I am considering only hiring from the Philippines.

Much thanks in advance!


Here is a snippet of the mystery code, as it is too long to publish:

<input id="gwProxy" type="hidden" /> <input id="jsProxy" onclick="jsCall();" type="hidden" />

<span id="leoHighlights_iframe_modal_span_container"> </span>
<div id="leoHighlights_iframe_modal_div_container" style="border: 1px solid black; position: absolute; visibility: hidden; display: none; width: 394px; height: 40px; z-index: 32768; background-color: white;" onmouseover="leoHighlightsHandleIFrameMouseOver();" onmouseout="leoHighlightsHandleIFrameMouseOut();">
<div id="leo_iFrame_closebar" style="position: absolute; top: 0px; left: 0px; width: 394px; height: 40px; z-index: 32768; background-image: url(chrome://shim/content/highlightsFilter-1/header.gif);"><a href="javascript: leoHighlightsIFrameClose();"></a></div>
<script type="text/javascript">// <![CDATA[

on so forth for an entire page

5:59 pm on Sept 15, 2009 (gmt 0)

New User

5+ Year Member

joined:Sept 15, 2009
votes: 0

Oh, I should clarify, if you can provide step by step instructions on how to check my cPanel as well as my WordPress files, I would be overjoyed. Thanks!
5:26 pm on Sept 16, 2009 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 29, 2003
votes: 0

I suspect that someone who edited that post had a browser extension installed called "The Browser Highlighter", by eBay.

It is often bundled with updates from Skype, consequently many people install it unintentionally. But it's a legit browser extension, and many people install it on purpose.

It rewrites stuff in web pages you visit, presumably helpful stuff like comparing prices on eBay and highlighting phone numbers for Skype. And it leaves a fingerprint just like the code you've quoted above.

There are also versions floating out there that are not actually by eBay. And there are trojans about that install a fake version of it in your browser, also not by eBay. And they do malicious things.

I can imagine that someone with this extension was working on your WP back-end, and published a post after all that hidden crap had been injected into it.

Anyways, check your browser extensions, remove that one if it's there, and also remove that extra code from your posts ASAP.

6:16 pm on Sept 16, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:June 7, 2005
votes: 0

A good practice is to install a local development version of your wordpress site. You can use a program called XAMPP that installs a virtual server on your machine. Then, when you recieve any code changes from a coder, install them locally first so you can review their effect before uploading to your production site.

This isn't as hard as it sounds. Do a search for "how to install wordpress on your PC" or something similar and you'll find some good turorials.

Once you've installed WP and XAMPP locally, import your live databaase with all the posts, install your theme and any plug-ins you're using, and you'll have your own sandbox site to tinker with.

6:38 pm on Sept 16, 2009 (gmt 0)

New User

5+ Year Member

joined:Sept 15, 2009
votes: 0

Thanks for the replies! I will check out Mamp.

Any recos on how to do a WordPress files audit and server audit for weird stuff?

Thanks in advance!