Post image for Seonix WordPress hack and the tool that fixed it in 5 minutes

Seonix WordPress hack and the tool that fixed it in 5 minutes

by Jeremy Schoemaker on April 3, 2012 · 13 comments

This morning I recieved a VERY disturbing email from one of our readers:

On Tue, Apr 3, 2012 at 5:56 AM, Jorg Ruis
Hi Jeremy,

Tried to contact you Twitter and your contact form several times. Last week Thursday I discovered that someone got in to our backend and submitted quite some links (124 posts to be exact) to seonix.org. He also changed some of the canonicals of posts. I looked up which other domains were linking to him and I see quite some pages from you guys popping up like this one www.shoemoney.com/2008/11/04/making-money-with-local-affiliate-programs (chick the link at ‘affiliate marketing’). He also got to VentureBeat, Crunchbase, W3-edge.com and some others.

All the best,

Jorg Ruis

First and foremost I want to thank Jorg for taking time out to email us. Some of these are years old.

I looked at the post he mentioned then started going through the revisions of the post. It was easy to pinpoint what administrative users account had been comprimised. It was a former employee who had not been on our staff for 2 years.

I searched then site wide and found 36 posts had the links to seonix.com with various keywords as anchor, title, and alt text.

Now I could go through manually and change every one… but some had multiple links per post (average of 2 per post).

But instead I used our awesome seo mass link wordpress plugin

Using this tool I easily found all the links:

I selected all the posts and hit remove all:

Then you can see the results, see previous and current, and even revert all or certain changes.

full disclosure

About the author...

– who has written 2854 posts on ShoeMoney.com.

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of the ShoeMoney Blog, Elite Retreat Internet Conference, & the PAR Program. In 2013 Jeremy released his #1 Amazon Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. Jeremy currently lives in Lincoln Nebraska with his wife and 2 daughters.


Jeremy recommends you check out these amazing posts:

  1. spamcan 5 Quick and Easy Ways To Stop Blog Spam Before It Hits Your Blog
  2. File:Fight_Club_poster How Fight Club Changed My Life (And How You Can Change Yours Too)
  3. Delicious-20100219-073418 Using Delicious to Understand Your Users

{ 12 comments }

1 Edgar

Now that is an awesome plugin..

Now tell us Jeremy want are you going to do to get back at this hacker?

2 ShoeMoney

Lol just happy to discover it right now. Unfortunately when you track down these guys they are in a foriegn country. Plus who knows if he actually did it.

3 Dean Saliba

Very cool plugin you have there, I dread to think how long it would have taken you to remove those link manually.

But I’m confused about how the guy got in, did he just hack the user account of your ex-employee? And how come you still have a user account for someone who left your ocmpany over 2 years ago?

Glad to see you got things sorted now. :)

4 Dr Jeremy Schoemaker

He was using a weak password.

5 Ramon

Bf

6 Chris Wiegman

Yikes, good tools for cleanup there.

Have you tried enforcing strong passwords on your sites?

7 Dr Jeremy Schoemaker

First step is I deleted all admins but myself ;) There were 12 that were almost all former employees

8 mel

if he had thought of looking into more admin privilidges on wordpress, it could’ve been very disastrous, good thing there was that plugin handy.

9 Andre

After installing it, it screwed up a few other of my plugins, with notices like this:

Notice: Undefined index: wpcf_your_name in /home/mysite/public_html/blog/wp-content/plugins/wp-contactform-akismet/wp-contactform.php on line 21

10 Chapinsky

I had something really useful and constructive to say but then I saw a picture of an awesomely gorgeous scantily clad woman in the sidebar and, what was I talking about again?

Oh yeah, your link plugin (my friend she is hotness!)… *ahem* your LINK plugin, does it update the database with the new data or does it continually scan the page on pageload? I’m interested if there is no continual overhead and the links are added to the db permanently… those extra database calls are a deal killer imo.

HOTNESS!

11 shoeIsBack!

Good post Shoe (finnaly something about internet, basically the internet is what intressts me)! You are back man!

12 Greg Ellison

It also wouldn’t allow some plugins to run and got what Andre wrote. Thanks Greg Ellison

Previous post:

Next post: