I've Been Exploited

Earlier this week, I converted my main blog from the Drupal content management system to Wordpress. Within 24 hours, I was exploited.I made the decision a couple of weeks ago to move from Drupal to Wordpress for a number of reasons. The process to convert the site wasn't easy and I am working on a technical guide which I will publish later this month. Most of the issue was centered around the URL structure. Drupal has a more complex URL structure which basically broke about 1,000 blog posts which I have been slowly cleaning up the last three days nearly non-stop.

During my URL correction work, I noticed that the blog homepage was shifted to the left. I knew I didn't change the template but since I just completed the template transition to the Wordpress specifications, I started to investigate the shift. After some initial template checks, I looked at the source of the page and am pretty sure I lost several heartbeats. Inside the code of the page were about 250 spam URLs injected into the page.

I had a friend help me diagnose where the spam injection was inside my files and it turned out to be in the overall Wordpress header file. We cleaned it out, changed all of the passwords and re-installed a clean Wordpress installation. The total time the spam injection was live on the site was about two hours.

That amount of time was enough for all of the major search engines to index the updated site with the spam URLs. This has caused Google to flag my blog as "potentially malicious" and I am unsure what it has done to my search rankings but I know my traffic is down significantly. I have started to work on getting it corrected by submitting a "re-inclusion request" via the Google Webmaster tool. I am not sure how long it will take to get this notation removed but they note it could take some time.

Next week I will speak with my web host to learn the technical reasons that this exploit happened. It appears that it was a combination of a file upload and some shell commands.

This is a good example of why it's so important to monitor your site in real-time. You can quickly see incoming traffic patterns and take appropriate action as needed. In my case, I started receiving traffic from MSN Search for some of the keywords in the spam URLs. This tipped me off that there was something weird beyond the template issue I noted above.

At the end of the day, I am glad I switched platforms and eventually Google will help me get the malicious notation corrected. Please use my bad luck as your reason to go and check your blog to make sure you are current in updates and patches. Also check out my guide for creating a backup of your website or blog -- this will help if your site is exploited or compromised.