SYSINT Logo
wordpress,mailware

Created

January 5, 2024

WordPress Hacked: Web page appears completely different to Googlebot

My website appears fine in all browsers, and any third-party tools I can find to visit as the Googlebot.

However, in the search console when I test the homepage live URL, it shows completely different content in a different language (Korean, Japan, etc.?).

I have requested reindexing all pages and still the bad content is in the index.

Here's an example of what it looks like in a Google search wp-hacked-website-google-search-example.png

How to detect injected content on the website?

First of all, you need to override the user agent string. If you are using the Chrome browser, you can do this as follows:

  1. Open console, and select Network tab
  2. On the right, click on the menu with three dots and select from the menu More Tools ->
  3. Network Conditions
  4. User Agent Google Bot

network-conditions-override-user-agent-string.png

When done, refresh or reload the page. If you see the same content as in the search index, then your website is infected 😢

How to fix an infected WP website?

Below is my short list of what I usually do:

  1. Update WP Core Files (of course), I do it directly on the server. I download the latest version of WP, extract it and replace all the files.
  2. Updated WP Plugins. I also update the plugins directly on the server. The readme files contain the information needed to find the appropriate website to update the plugin.
  3. Update WP themes. If for some reason it cannot be done, proceed to additional actions
  4. Set the correct file/folder permissions. It should be 644 for files (read and write owner only, others read only), and 755 for folders

Additional actions

If the above steps didn't help you, your theme is most likely infected or an attacker has access to the file system of the server

In my case, this malware dynamically downloads content over the Internet and stores *.htm files it in the folder /wp-content/uplоads/

PHP can load content using the CURL library, so I'll be looking for something that uses curl accordingly. I will look for malware in the *.php and *.phtml files in the theme that's one place I can update.

Search code/function that uses curl

I use MC, but you can use your favorite tool. find-malware-in-wp-themes.png

The result

I found about 5-7 files that use the curl function, but one of them is infected eltd-options-helper-functions.php what was inside this function is in the image below. wp-infected-theme-file.png

Remove the function, but be careful not to remove working code

wp-malware-function-uses-curl.png

How to make sure that everything works?

Scroll up to "How to detect injected content on the website" and open the website as a Googlebot

Not sure which platform or technology to use?

We can turn different applications and technologies into a high-performance ecosystem that helps your business grow.

Contact Us