Wordpress site hacked - trying to figure out strange behaviour


A friends website has been having issues for a number of weeks, the site appears to have been hacked, in that at different times an older version of the site is displayed, with a header tag 'Buy Viagra -BBS'.

Im not directly involved in the site development, but apparently they have followed various steps to fix the site and the developer now believes the site to be fixed. However when i have been accessing it, i get strange results.

Sometimes when i google 'boutique bar show', it advises 'site have been hacked', but sometimes it doesnt show this. I would have thought its a clear cut thing one way or the other with google?

Also, when i enter the URL 'www.boutiquebarshow.com' into three main browsers (Chrome / FF / IE), IE and FF display uptodate site (noticable by title='Home:BBS-Best Boutique...') whereas Chrome shows month old site (noticable by title='Buy viagra - BBS). Now chrome is my default browser, so i assumed this was simply a caching issue and that the site is indeed fixed. So i deleted full browsing history and tried again - to find that indeed chrome started showing the uptodate site.

However... after about 20 mins of doing other stuff, I re-entered the domain into the address bar and now it continues to show the old site - (Buy viagra -BBS).

The bar show that the site promotes is due to run in less than 10 days, so it essential we figure out whats going on... I would appreciate any suggestions / recommendations?

LVL 12
Dean OBrienAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
You may not have 100% control over this situation -- Chrome is a Google product and if Google and Chrome communicate about the status of the web site, your browser may be showing you what Google thinks, not strictly a representation of the current web site.  This is Google's way of protecting you from malicious or attack sites; apparently Google has, at some level, decided your site is dangerous.  Your site may also be served from a CDN.

As far as what others will see, that's less likely to be a problem because not all of them will be using a Chrome browser that has a cached version of the site, so they will more likely be fetching a new copy of the documents.  You can help make sure this happens by sending a meta-expires header with a date in the past.  It may make the site slower, but that would be a secondary consideration in a case like this.

You might want to contact Google directly to find out how to get their cache deleted.  You might want to purchase Google AdWords related to the marketing campaign.

You might also want to test Safari - it's used a lot more than we sometimes think.

If you browse in "anonymous" or "private" mode without reference to cookies or browser history, you will probably see what other browsers are going to see on initial access to the site.
Dean OBrienAuthor Commented:
Thanks Ray, I will definitely suggest the meta-expires header and see if that helps. Strangely now though, the other browsers i previously mentioned now show the hacked version, so clearly the problem still exists (or somehow the cache is shared between browsers?)

As a matter of interest, if you search for 'boutique bar show' in google, does it suggest the site is hacked for you? Obviously i wont ask you to access it!

Ray PaseurCommented:
In Firefox at current release level... There may still be a problem.See caption
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Jason C. LevineDon't talk to me.Commented:
I'm not convinced your friend has fixed the hack, but we'll assume this is the case.  Google is still saying the site is hacked because:

whereas Chrome shows month old site (noticable by title='Buy viagra - BBS).

Your Yoast Facebook and Twitter settings in this site are still writing the Viagra text (sql injection, most likely). View source on your page to see the below:

<meta property="og:title" content="Buy viagra - BBS" />
<meta property="og:url" content="http://boutiquebarshow.com/" />
<meta property="og:site_name" content="BBS" />

<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="Buy viagra - BBS"/>
<meta name="twitter:domain" content="BBS"/>

Open in new window

So check the Yoast SEO settings.  So long as Viagra shows up on a site not dedicate to male impotence, Google is going to be suspicious.

If the site is using any kind of caching, dump the server caches or, better yet, delete the plugins creating/calling the caches.

Finally, you may want to follow the steps in my article on WordPress hacks:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
Dean: Glad to see Jason here; you're in good hands!
Brandon LyonSenior DeveloperCommented:
Wordpress hacks can be messy to clean up and there are multiple areas that need to be addressed. Just because one spot is fixed doesn't mean they all are.

* Delete any compromised plugins.
* Fix any compromised templates.
* Fix permissions on files and directories.
* Clean bad records from the database.
* Change passwords to be VERY long and complex. Change them for wordpress admin, wp users, database connections, etc.
* Harden your htaccess file and wpconfig file.
* Don't use any default login credentials like admin.
* Setup a heavy-handed security plugin such as Wordfence.
* Setup an IP blacklist and monitor login attempts. That's usually done in plugins like Wordfence.
* Disable the Wordpress built-in comment form. If you need comments then use something else, or at the very least use a security plugin to harden it and add anti-spam protection.
Dean OBrienAuthor Commented:
Ray / Jason / Brandon,

Thanks for all your comments, I am trying to get full access to the site to start implementing changes. Once i do i will be sure to follow each of your suggestions.

For now I was able to get the wordpress login details and have been able to upload the 'sucuri security' plugin, which has identified a number of suspicious files, that have been altered since recently since the most recent publish date:

6th August 2015 6:42 pm      wp-includes/lndex.php
4th September 2015 9:31 am      wp-includes/pomo.php
6th August 2015 6:42 pm      wp-includes/functions.php

So i will start with them and hopefully get something sorted.

Thanks again
btanExec ConsultantCommented:
suggest you run scan using WPScan (you may already have know too) as minimal to see the low hanging are not found - should also look into patch all plug-ins using Surcuri to latest security ver. fyi
Jason C. LevineDon't talk to me.Commented:
The only problem with Sucuri, WordFence, et al is that they do a really good job of identifying what was hacked but are less good actually identifying WHY you got hacked.

So go through the affected files (functions.php may be a false positive but check it anyway) but keep a close eye on the site.  If the hack reappears, it's because one or more backdoors are present and that's much harder to fix.
btanExec ConsultantCommented:
Precisely , agree, they has certain interest and stake as well. The secure and defensive codes are still to be checked - I really disgusted by others getting WAF to cover up the gaps and deem such virtual apps as solving the issues, I fainted over it but they just dont budge till the mgmt instruct them. Sad case.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.