How I got hacked (and lived to tell the tale)
For a long time I didn’t bother to upgrade this blog when new versions of WordPress came out. I was kind of neglecting the blog anyway, and I would have had to do some tinkering behind the scenes in order to integrate all the tags on my old posts with the tagging functionality built into WP 2.3 (I was using 2.1 with the Ultimate Tag Warrior plugin at the time). Since the site in question was just a low-visibility personal project, I procrastinated.
Bad idea.
See, the advantage of regularly updating your WordPress install is that the more recent versions of WP fix the security holes that people keep finding in older versions of the software. Eventually, if you don’t upgrade, someone will exploit one of those holes in order to hack your blog.
I got hit with a spam injection attack. Basically, the hacker managed to get write access to some of the files in my WP directory and added some obfuscated code that dynamically added a bunch of invisible spam links to the header of certain pages on my blog — “invisible” in that they don’t appear when you look at the pages in your web browser, but they’re still visible in the actual HTML source code (your browser just doesn’t display them when it renders that code) and therefore visible to search engines. The intent is to piggyback on the victims’ PageRank in order to improve the ranking of the spam links in search engine results: if credible sites (like mine) appear to be linking to them, Google assumes that the spam sites must be legitimate after all. Eventually, though, the search engine sites catch on — and reduce the ranking of the victims’ sites, since they’re linking to spam and therefore seem spamlike themselves!
As hacks go, it’s not so bad for the victim. It’s hurt my PageRank a little, but I’m not too concerned about that. And all my data is intact.
At the moment you can still see examples of the hack in Google’s cache. Try a search for link:textsfornothing.com/blog and look for results from the textsfornothing.com domain. I only noticed it because the version of WordPress I was using showed incoming links from other sites that linked to mine. I took a look at one of the new incoming links, saw that it was a splog (a fake blog that exists to shovel spam into the intertubes), and tried to figure out why it was linking to me. It was actually linking to a specific page on my site, so I looked at the HTML source code for that page … and discovered the spam.
I could have made the effort to clean up my existing WordPress install at that point, but I was so far behind in the update cycle that I just wiped the whole blog (as in, I backed up the database to an SQL file and deleted the whole thing) and did a fresh install of the latest version of WordPress, which I will be updating religiously. That’s why there aren’t currently any posts on this site dating back before mid-December — I haven’t extracted them from the old, hacked site yet. I’ll get around to it sometime this month; since the data’s offline, I can procrastinate safely, knowing that I’m not leaving myself vulnerable to further hacking by doing so.
I hope.