Moving at the Speed of Creativity by Wesley Fryer

A Creepy and Troubling Hidden WordPress Hack

It’s almost Christmas and our family is again planning to celebrate with a special dinner of prime rib. This has become a holiday tradition but is a big deal for us, since this is the only time all year I do any cooking of prime rib meat. Today before going shopping, I searched our family learning blog WordPress site (“Learning Signs“) for past posts I’d written about this favorite holiday meal. I needed to confirm how large a prime rib I’d purchased in the past, and was also interested in reading the lessons learned and suggestions I’d documented in the past. I’ve written posts in 2011, 2013, 2015, and 2016 on this topic.

I found the 2016 post on my iPhone , “Best Christmas Dinner Ever: Prime Rib,” but was immediately alarmed when I read it to see references and links to things like motorized scooters, instant loans, and airsoft guns. I realized immediately that my website had been hacked, since I had not included those things in my post two years ago… but it wasn’t immediately clear if my entire website was compromised.
Highlights show words and links added to my post by a hacker

This is how the post SHOULD have appeared, and does now since I used WordPress’ built in “revision history” to roll back the post to its original version.

Prime Rib Blog Post
My corrected / original WordPress Post About Holiday Prime Rib

I have, unfortunately, dealt with WordPress hacks on my own websites and those administered and hosted by others several times in the past. My earliest experience with them may have been 10 years ago, in 2008. In most cases, the entire WordPress site was compromised and I had to either restore the entire thing from a BackupBuddy backup, or pay a reputable WordPress security company (like Securi) to clean it up. The “vector” used by hackers in all these cases wasn’t necessarily clear… In some, the WordPress installation and associated plug-ins hadn’t been updated regularly as they should be. In others, I suspected weak passwords. In each of those past cases, however, the hackers had taken advantage of a vulnerability and rendered the site so corrupted I couldn’t repair it directly myself.

In today’s case, it appears that this single post from 2016 was targeted and edited to include links the hacker was most likely paid to insert. What was surprising and alarming, however, was the way in which the language of the post was altered, so the new sentences and links ALMOST flowed with my original verbiage. This does not appear to have been a bot attack, I think this was someone crafting language by hand and inserting links into this specific post… possibly because it was highly ranked on Google and other search engines at the time. I haven’t updated all my WordPress sites to SSL as recommended, and this has significantly hurt my SEO (search engine optimization) rankings. Starting in July 2018, Google began marking all websites as “insecure” in its search results and in the Chrome web browser if they don’t use encryption. I looked into the steps for doing this, but because I maintain so many sites and have been too professionally busy with other things, I haven’t made these code changes yet.

Closer inspection to the revision history for this hacked webpage revealed that the latest unauthorized change took place 9 months ago.

WordPress Revision Comparison 1
Revision history shows hacked changes 9 months ago

A series of changes had actually been made in the preceding months, going all the way back to August 2018.

WordPress Revision Comparison 2
First unauthorized hack of this WordPress post

I am glad there have not been any new changes to the post in the past 9 months, but of course I’m concerned there may be other posts that are also compromised. I have over 450 posts on the “Learning Signs” blog, so this isn’t something I can readily scan over.

A few months ago, I changed the hosting company for most of my websites, and at that time I deactivated all the administrator accounts on that website, just keeping my own. I also changed my administrator password to a much more secure (long and random) version, and ensured iThemes Security Pro was properly installed and configured. I’d previously used the WordFence security plugin for WordPress, but had some hacking problems even when it was installed so I changed everything over to iThemes Security.

Today I enabled logging features in iThemes Security Pro, so all admin user access is logged. I’ll try and keep an eye on this in upcoming weeks. I’d like to find a way to show a list of all my posts on the site, sorted by the date each was last modified. That way, I could identify unusual descrepancies between original publishing dates and more recent modification dates. I looked at a few plugins but couldn’t find a way to readily do this. If you have any suggestions on that front, please let me know with a comment or by reaching out to my on Twitter @wfryer.

Hopefully this situation will not repeat itself. It’s a bad feeling to have words and links you never wrote or inserted put into a blog post you’ve published out ‘for the world.” 🙁

(You can view comments and add comments about this post on this Facebook thread. Also feel free to reach out to me on Twitter @wfryer. Or comment below!)

If you enjoyed this post and found it useful, subscribe to Wes’ free newsletter. Check out Wes’ video tutorial library, “Playing with Media.” Information about more ways to learn with Dr. Wesley Fryer are available on

On this day..