This morning, we have a guest post from our friend Jeff Orloff who’s been contributing to SEOgadget on subjects such as “What Google’s Chrome OS Means for the Future of Computing“, and using “Ubuntu in the Office“. Today, he’s looking at the dark art of SQL Link Injection, how to test to see if your WordPress installation suffered this ill fate and ways to mitigate the risk. Over to you, Jeff…
Having written extensively on SQL injections and cross-site scripting injection techniques, I was not surprised in the least bit when I read an article describing how a link injection works.
Anyone who has studied SEO knows how essential quality backlinks are to improving a site’s ranking with the search engines. Of course, not everyone obtains these backlinks legitimately. Since the words SEO first rolled off the tongues of early web pioneers, there are some who have sought to increase the number of backlinks to their site by any means possible.
One of the most common ways to obtain backlinks is to inject them into the signature of a forum post. For quite some time it was difficult to visit a forum without seeing at least a few mindless posts that were completely off topic. What the post did contain was a series of hyperlinks to the poster’s web sites. If the forum was popular enough, they may have upped their SERP a bit.
Like any other method of cheating the system, people soon grew wise to this method and the nofollow attribute was the result. Adding this to the code told the various search engines to disregard all outgoing links as a means to influence page ranking.
Of course, the drive for the top spot on a ranking page was too much to let a simple attribute stand in their way. So the black hat SEOs upped the stakes a bit. Using known vulnerabilities in web sites, like cross-site scripting and SQL injections, links could be injected into different web sites and masked by the CSS. Particularly vulnerable were any sites that relied on third party software and themes. These add-ons were usually not tested to the extent of the application on which they run so they leave wide open holes for attackers to exploit. As a result, web sites, especially blogs, found themselves loaded with spam links to affiliate links and bogus backlinks to attackers sites.
Not only were these web sites helping increase their attackers page ranking, and bank balance, but owners of these sites quickly found their own page ranking slipping as a result of their promotion of illicit products.
Testing for Link Injection
Link injection is hard to notice since many of the outgoing links are encoded or masked by the software’s legitimate code. One way to test to see if your site is harboring any spam links is to use Google itself. Do a site search for your domain along with keywords of known spam. For example, type: site: www.yoursite.com casino, or site: www.yoursite.com fat loss to see if you have been exploited by this technique. Use this search with as many different common spam words as you can think of.
Of course not all attackers are as sophisticated as others. Scan the body of your site for links. If you see some that are unfamiliar, investigate further. If they are spam, take them out.
Another think to look for is /**/eval(base64_decode appearing at the top of any of your WordPress PHP files. If you see this in your blog, you have been compromised.
If you have notices that your page ranking has dropped dramatically and can’t find any of the above evidence that you were attacked, you may want to consult your hosting company to see if they do any security work. In the event that they can help you, explain to them what happened as see what they can find. If not, you may have to hire an outside security expert or go ahead with the complete reinstallation.
Some instances, a complete reinstallation of the database is necessary to completely remove all of the hidden links. Though there have been cases where the injection code was the same for every page so it was easy to clean with the find/replace tool. If you are able to remove every illegitimate link from your site, there are some steps you can take to avoid a future attack:
- Change admin username and password
- Change database username and password
- Change your FTP username and password
- Don’t use simple passwords
- Check your file permissions
- Update software
- Update all third-party add on software (plugins, modules, components, etc.)
- Contact your web host regarding a security upgrade of all their software
- Submit a re-inclusion request to Google so that you don’t continue to lose your page ranking
Three tips to protect your WordPress installation – Matt Cutts
WP Security Scan – WordPress plugin to assess your WP installation’s overall security level
WordPress Security Whitepaper – BlogSecurity.org
Backing Up Your Database – WordPress.org
How to download your website using WGET for Windows – Builtvisible.com