Please visit my new, improved website!

>> Wildermuth Creative Portraits <<

  • A weed is no more than a flower in disguise.
  • Got Spam in YOUR Templates?


    This is not the first time I’ve seen this – spammers somehow hack into WordPress template files and add in their junk, styling it inline so it’s not visible on your blog. Hidden junk mail, basically, in your theme. It happened to me over a year ago, but this particular incident was a refresher course as I found it in a client’s header file while upgrading and updating her theme. Please, please please – check your theme template files regularly. Particularly your header.php, those buggers like to get their links in there and set up negative margins before your content begins on the page.

    Here are a couple of screenshots – click to enlarge. You can see the menu_rll is the div id used to enclose the spam. In this case, they hacked into both the header.php as well as the main index.php.

    Found in the header.php template

    Found in the index.php template
    It is helpful if you change your admin password somewhat regularly, other than that I can’t tell you exactly how they manage to get in there. I’ve had a pretty secure password for years (I rotate it out) and keep my file permissions secure as well, so I’ve never been able to get a straight answer about the “how does this happen”. It’s aggravating – as these types of links should be PAID for and you should not be spammed or hacked into displaying them without your knowledge. I have tried to pursue these sites before (none of these links are live, I will not give them any free linkage here) – they always play dumb that they had no idea the people they pay to manage their links were hacking sites.

    So folks, this might be news to you – but you might just find some spammy links in your template files. Go on and check, it only takes a minute. Look under presentation/theme editor and just scroll through your template files to make sure there’s nothing spammy going on with your website that you don’t know about. And also – if you’re not using the most current version of WordPress, It’s time to upgrade.. Eliminate any possible vulnerability.

    UPDATE: Another WP user discovered massive amounts of spam in his template, it actually affected his Google ads – the ad content started getting “spammy” and he couldn’t figure out why. Check out his experience here.

    Another update: I am also being told that when upgrading – it is HIGHLY advised to completely delete everything but the wp-config file and upload the fresh upgrade to ensure any files that were hacked are gone and avoid future vulnerabilities. For detailed and easy to follow upgrade instructions, see my post here.

    Also see: TechCrunch “WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next?


    All Adither said,

    That is SO interesting. I had no idea. I wonder if I should check my Typepad template too. I wonder how to even do that.

    3.8.2008 @ 2:55 pm
    Lindsey said,

    Blech! Do spammers have no souls?!

    Lindsey’s last blog post..101 in 1001 updates!

    3.8.2008 @ 3:48 pm
    taba said,

    you are so smart. :yes: did you get me anything pretty at kohls? namely anything i can fit my un-warped a$$ into?

    3.8.2008 @ 4:53 pm

    I don’t see how they can do this, but I will definitely check and change password now.

    Sleeping Mommy’s last blog post..A blessing of simple pleasures

    3.8.2008 @ 4:57 pm
    Renee said,

    Is this a worry for a blogspot template too? I worry about messing with my template and deleting something that I need.

    Renee’s last blog post..Dh is home and other stuff of non-importance

    3.8.2008 @ 6:05 pm
    Leanne said,

    I would venture to guess that other blogging platforms are just as vulnerable if the templating system can be accessed through a password. It’s always safe to LOOK, at least, check to see if it’s there. If you need help removing it or you’re worried that you’ll break your blog, then do reach out for help. Most of the time if you just make a quick backup, you can definitely tell the beginning and end of this hack and you’ll know (just from anger alone) EXACTLY what you want to remove.

    3.8.2008 @ 6:09 pm
    Marcia said,

    Thank you, Leanne. I checked mine by using my FInd and didn’t even have the menu_rll show up at all, so I tried again with the beginning of a link (http, etc).. and found no untoward links. Just a note. I have Theme Test Drive plug in – and had to remember to make sure I was checking my active theme. I nearly forgot. I bet I won’t be the only one. Now to check the other themes I have been using. :thanku: for telling us.

    Marcia’s last blog post..Stopping on interstate!

    3.8.2008 @ 8:04 pm
    Tipper said,

    Hello, Just wanted to say I stumbled across your blog-and it is beautiful. Its different than any other blog I have seen-in a great way! I just love the design.


    Tipper’s last blog post..Cold Feet

    3.9.2008 @ 11:24 am
    Bob Walton said,

    Thanks for the heads-up. I’ve got a wordpress blog in the works, and hope to launch in a month or so. I appreciate the insight and experience you bring to bear on the matter.

    3.9.2008 @ 10:23 pm
    YellowRose said,

    Thanks!! :blushing: What would we do without you?! (I don’t want to found out!!)

    YellowRose’s last blog post..Photo Hunt – ?Different?

    3.10.2008 @ 6:41 pm

    […] Got Spam in YOUR Templates? […]

    4.13.2008 @ 11:50 am
    Dale said,

    Thank you for this. I saw that my site had a problem when running it through an RSS validator, but it was your article that tipped me off to header.php.

    Mentioned you here.

    Thanks again… you saved me hours of trying to figure out what was going on….

    Bye for now,


    Dale’s last blog post..Change Your WordPress Admin Password!

    4.13.2008 @ 11:55 am
    Dale said,

    Hi, Leanne … thanks for the mention and the link back to my post!

    Bye for now,


    Dale’s last blog post..“Snail on the Run!”

    4.14.2008 @ 6:55 pm

    From what Dreamhost told me, when I had almost the same problem, they get in not through the admin panel, but web ftp by hacking the passwords. Not sure what they really get out of it, other then being, well, you know.

    PS: when stuff like this happens, people should really check their htaccess file.

    William Teach’s last blog post..Sick Liberal Porn Fantasies Aimed At Conservative Women

    4.15.2008 @ 6:03 pm
    Dale said,


    Interesting what you found out from Dreamhost. That makes sense in my situation, because when I changed my WordPress admin password, I also changed the password I use to access my web hosting services. Will update my original article with this info, and make it a practice to change that password more often.

    Thanks for letting everyone know what you found out!



    Dale’s last blog post..“Snail on the Run!”

    4.15.2008 @ 8:16 pm

    […] Back in November of 2007, I mentioned that someone hacked my htaccess file, and did even worse stuff. Well, it seems that someone has done something similar to my good blog friend Beth at Blue Star Chronicles, as well as a few others, such as A Few Good Pens and Artist By Nature. […]

    4.16.2008 @ 5:20 am

    […] actually I only surfed for 15 minutes before I can find several blogs, A Few Good Pens and Intricate Art who undergo the similar […]

    6.10.2008 @ 3:44 pm

    Sorry, comments are now closed.

    {Latest Projects}