Cleaning up a WordPress Defacement

A long time ago, this site got hacked. Not 100% sure how it was done, either by wordpress exploit on this site, or a joomla exploit on another site on the same shared host. It took a bit of doing, but we finally got it killed. But the hack embeded links on about half my blog post pages. I wasn’t keen on manually editing about a thousand pages, so I just let them sit.

I finally figured out how to clean these links out!

/(<a style="text\-decoration: none;" href="\/index.php\?u=)((\w+)(-?))+">\.<\/a>/</a>

I found a WordPress plugin that allows me to run a regular expression find/replace. The one I used is “Search/Replace” which was fairly highly scored with a good amount of traffic. I am sure there are others that would work.

What this allows me to do is to write a regex to find the particular defacement – in this case a link at the end of a post, and remove it. Across all my posts. I ran it 10 at a time a few times just to make sure it wasn’t going to eat all my posts. And as always when doing bulk updates, backup the site first!

Join the Conversation

1 Comment

Leave a comment

Leave a Reply to Jeff Bond Cancel reply

Your email address will not be published. Required fields are marked *

WordPress Appliance - Powered by TurnKey Linux