Bryan Stephens

Bryan Stephens header image 2

Malware Notification From Google For A WordPress Blog

May 6th, 2008 · 6 Comments

I was searching through my mail recently and found an email, written below, with respect to a blog that my dad works on. At first I thought that it was some sort of spam or trick, but after investigating it further I realized that it was for real and there really was a problem.

Dear site owner or webmaster of beatyourdepression.com,

We recently discovered that some of your pages can cause users to be
infected with malicious software. We have begun showing a warning page
to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be
infected (space inserted to prevent accidental clicking in case your
mail client auto-links URLs):

http://beatyourdepression .com/blog/
http://beatyourdepression .com/blog/category/overcoming-depression

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//beatyourdepression.com/blog/

We strongly encourage you to investigate this immediately to protect
your visitors. Although some sites intentionally distribute malicious
software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious
advertiser

If your site was compromised, it’s important to not only remove the
malicious (and usually hidden) content from your pages, but to also
identify and fix the vulnerability. We suggest contacting your hosting
provider if you are unsure of how to proceed. StopBadware also has a
resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be
removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users,
we will remove the warning.

Sincerely,
Google Search Quality Team

 

I checked out some information from stopbadware.com and realized that the static site was OK, but the blog had some problems. I now know why the traffic stats had dropped significantly. Google had dropped the blog posts from its index.

I contacted my hosting company. They were helpful as usual, but they told me that they could not really help me too much without any more specific information from Google.

I knew that dad and I had not deliberately put malicious content on the blog, so I investigated further by checking http://www.stopbadware.org/home/reportsearch with all of the external links that we had on the blog. All of them were found to be clean.

I used the clearing house tool with several of my other sites, including this blog, and they all came up clean until I arrived to another site with the same wordpress theme as the beatyourdepression theme. Therefore I thought that it was possible that the theme itself had been corrupted somehow. However, I found some other sites with the same wordpress them and they all were clear.

I then tried some of my other blogs and found a few more that were earmarked by the clearing house as having badware within them.

It then became apparent that there was a common denominator between the blogs that had badware and those that were OK. The ones that had badware had “Anyone can register” ticked in the membership section of the settings in wordpress. I unticked all of those boxes on the affected sites, although the latest wordpress upgrade (2.5.1) is supposed to fix this problem.

I then had to search through all of the posts for coding that was not supposed to be there. (Go to Manage post and choose html). Much of the bad coding had iframes and something like “<-traffic Statistics” and links to bad sites such as ringphones, casinos etc. It took ages to sift through all of the posts and remove all of the bad code, but hopefully it is all OK now. Note that all of the badware is not visible on your blog for the viewer.

I have asked for Google and stopbadware to check the site out again and I shall have to wait and see how it all goes. I really have to thank them for alerting me about the badware as the last thing I would like is having my readers being affected by it.

I have learnt my lessons. 

So what do I suggest other bloggers to do right now???

  1. Upgrade your wordpress (or other type) blog NOW.
  2. Remove the tick from “Anyone can register” if that is not totally necessary.
  3. Check out to see if your sites have badware on them using http://www.stopbadware.org/home/reportsearch
  4. Fix up any corrupt posts or pages by deleting the bad code
  5. Tell Google and Stopbadware that your site is now OK again (if there was a problem in the 1st place)
  6. Have a nice cup of tea and keep a positive attitude 🙂
     

Tags: Blogging · Internet Marketing

6 responses so far ↓

  • 1 Raymond Chua // May 6, 2008 at 2:32 pm

    Hi Bryan,

    Thanks for sharing this great piece of information.

    I have just perform a search and here’s the result I got:

    “You searched for items containing the term ‘attractingyourgoals.com’ there are 0 results.”

    Does that mean that my blog is safe?

  • 2 Bryan // May 6, 2008 at 2:44 pm

    Hi Raymond

    That is good news for your blog. It does not mean that your blog is definitely safe, but it certainly is a good sign. 🙂

    I found badware in different forms within random posts. While clicking on a post under “manage” I noticed that sometimes the last edited date was different from the published date. These posts were more likely to have been tampered with.

  • 3 Bruce Bird // May 6, 2008 at 8:02 pm

    Bryan
    Thanks for the heads-up. I suspect WordPress is in the same category as IE – it is now the most common blog platform and is therefore the favourite target for the bad guys out there.

    So it really is important to keep your blog up to date with WordPress updates as the programmers work to keep ahead and plug any holes before the bad guys can find ways to exploit them.

  • 4 Wordpress Vulnerabilities // May 6, 2008 at 8:23 pm

    […] A colleague of mine in the Smart Marketing Coaching Club recently reported an email he received from Google telling him of problems on one of his blogs.  You can read his story and about the solution on his blog here. […]

  • 5 Bryan // May 7, 2008 at 1:21 pm

    Hi Bruce
    Yes it seems like there are many that like to spoil things for others.

    The good news is that all of my blog sites are rated as clean again. They are all listed in Google again and getting traffic. 🙂

    It looks as though stopbadware.com acted quickly on my review (thanks so much for that) and that I did not miss any bad code. 🙂

    I have learnt a lot from this.

  • 6 Frakkin’ Spammers // Jul 6, 2008 at 11:55 pm

    […] If you find that Firefox 3 or google is blocking your site, and you have a wordpress blog like me, you might want to check this out this blog post. Basically, my blog got hacked. I believe it’s an exploit in the older version of WordPress […]

Leave a Comment