Word Press iFrame Hacking. Dealing With Malicious Code Injected on WordPress Blogs

By Sidharth | Features

WordPress, as an blogging application is prone to be hacked apart from being an easy to use blog software. Several thousands of wordpress blogs are hacked everyday – Blame the plugins, old wp version and some unsealed loopholes.

Yet again, this blog was hacked, let’s say an malicious code was injected onto this website and let me tell you, we don’t host any Trojan, virus on this blog which you might have witnessed in these couple of days if you were using an good antivirus program. Right now, it is completely clean and it will be the same in the future.

So, this website was in the hacked state for more than a week. An rogue code was forcibly injected onto the website in the footer field, which I believe was up here for more than 10 days, letting every visitor know that this is an harmful website which of course is completely untrue.

Indication of a blog being hacked

If you’ve been following this blog then you would know I am quite an lazy person when it comes to updating the blog. However, while checking out the blog statistics, I saw an 25% decrease in the revenue (usually they are quite consistent) and to make it worse, the traffic went down with the same percentage making it an terrible start for the month of march.

Only if I was active enough in blogging, this would not have happened. In anyway, I want to share my experience which I believe might be helpful for other’s so that they can get an idea on how to deal with malicious code and remove such iframes javascript from the blog. Before that, here are some of the indication (with regard to this blog) that were seen when it was hacked..

  • Decline in overall traffic, thanks to Google analytics.
  • Firefox browser was shutting down whenever I visited my website.
  • In the status bar of the browser, unknown components were loading along with the site elements. (the harmful code coming from roguenet.info which is hacked as well)
  • Website went slow despite having an reliable server and compressed css.

Finding the malicious code

The instant way is to check out avoid malicious code is to see source code of your homepage. You can click on view –> page source in firefox to view the source of the page.

I found out 4 lines of unknown code embedded between <iframe>.. </iframe>. And I quickly knew that I never iframe any code, so the obvious – site under attack was sensed. To confirm it’s existence, I used firebug addon that cleared the minimal doubt I had. Check out the screenshot to get an idea..


Dealing with the malicious code on WordPress

I panicked for a moment, but that had to happen. Now the real deal was to take this line of code out from the website. I did face an similar situation few months ago and tried the same actual method. Do read that post and come back..

Okay, so now I downloaded all the theme files and used Notepad++, it has an exclusive option to search for text in whole files/dir which is very handy and made my search easier than ever. I was very close to find out the line of code, however, I couldn’t. Luckily, at the right time the guys hosting this blog (knownhost) came up with the information of the file that is infected which was not a wordpress theme file.

In actual, the malicious code was in the plugin, the contact form plugin for wordpress which was unexpected! In no time, I downloaded the plugin .php file and removed the malicious code.

So, that’s it! It took me around 2 hours to figure all this out, do remember to contact your hosting support, use firebug or check out the source code, download all the files and use notepad++ to bulk search the text.

About the Author

Hi, I am Sidharth. Full-time blogger. Editor of Blogote. And a self-proclaimed geek!