A recent site we were working on was running a standard WordPress Twenty Eleven theme and the owner stated that he couldn’t get rid of the casino link at the top of his WordPress powered website. We investigated this for him and it turns out that the link was being generated by a malicious WordPress plugin, “Google maps by Daniel Martyn”. This plugin was downloaded directly from the repository at WordPress.org by the owner.
Are all WordPress plugins tested for viruses and spam?
Most people think that all plugins on their huge repository are verified spam and virus free but this isn’t the case, many spam or virus plugins still get through the net. WordPress.org, like many other GPL-promoting organisations, rely heavily on community feedback to police the bad boys.
What happens if I report this to WordPress?
Once reported and the plugin banned, the author(s) simply create a new plugin and so the cycle continues. That’s not to say don’t report it, please still do that because you can do others a big favour this way. These are the ones we found to be malicious at the time of writing, so if you have any of these then deactivate and delete them immediately.
- Google maps by Daniel Martyn
- Seo cheese
- Seo interlinking
- Return to top
- Mugger
- G-translate
We found the malicious code in the file named version.php but it will vary depending on the plugin used. Links to look out for are primarily gambling ones.
This is a particularly well disguised link because the site owner often doesn’t see the link when logged in. If only the rogue coder could put his skills to something better eh….?
The spam repercussions
Annoyingly, Google and the other search engines will be downgrading your site because of the sites you link to, so this is a damaging attack in terms of SEO. Remember this link appears on every page.
How to avoid downloading spam infected plugins
The only real way you can reduce your chances of downloading bad plugins is to read their comments and ratings and try to stick to more popular plugins. If unsure, open each file of the plugin in an editor (such as the brilliant and free Notepad++) and search for http:// and https:// within them. Disregard links back to the author’s page that are commented out, this is a standard procedure for WordPress plugin code. Sometimes also the coder will drop a link back to his page on an admin screen, these too can be disregarded.
Hope this helps you to remove some spam and find the source too.