No new occurrences in the last 24 hours. I’m trying to monitor this closely. I found some references to gmpg(dot)org in the header file that didn’t arrive with the original theme. I wiped the statement out, then went searching. I found another reference to this site in the sidebar php file which did come with the original theme.
To me, that’s what’s known as suspicious. The reference was a simple href-style link and the gmpg organization appears to be legit, however, just as hackers use the WordPress acknowledgment link in the footer of most sites to target WordPress sites, I’m suspicious that hackers are using this sort of hidden link to somehow target and access a weakness in a given theme.
This is, you understand, totally conjecture on my part, but I’m leaving those references out of my themes from now on, (as well as a bunch of other security measures) and hoping I don’t get a recurrence of those pesky links.
Again, this was not dangerous to anyone visiting. It was pure and simple a means to fool search engines into legitimizing those links that were being inserted and thus raising them to the top of the search lists. The more places with “links” to sites, the more “legitimate” they are, to the search robots. (Do I have that correct, oh computer gurus?)
Back to editing RoL.
I find this kind of thing thoroughly infuriating. I had my own page hacked several years ago, and the bugger deleted everything and put up blank white pages with his hacker name.
Unfortunately, I hadn’t thought of saving everything back then. And had to rebuild everything from scratch. So — MAKE SURE YOU HAVE BACK UPS!
The strange thing is if they weren’t so devious and harmful, mostly I wouldn’t care about it. I’d even have been amused if the bugger who did my page had just made a folder to put my old pages in, so I could replace them when I found it. (shakes head)
Wishing you no more troubles of this kind.
Thanks for thinking of that.
Lynn has set up an auto-backup for all the wp-sites, CC included, so I think we’re covered. I had a backup, but haven’t made one for a couple of weeks. I’m just as glad to let her handle…so much more organized than I!
In the just in case dept, I want to verify that you did change the password to your database. This is not the same as the password to your blog. You would need to change it with your host and in the code for your blog. See below…
In your wp-config.php file, you’ll see something like this:
// ** MySQL settings ** //
define(‘DB_NAME’, ‘mydatabase’); // The name of the database
define(‘DB_USER’, ‘mydatabaseusername’); // Your MySQL username
define(‘DB_PASSWORD’, ‘XXXXXX’); // …and password
where the Xs represent the password to your database. Anyone can see this. This is how the hackers access your database and make changes.
I apologize if you’ve changed it but I was wondering if you might not know that the DB password is not the same as the WP password, etc.
Talked to Lynn last night and turns out our security is really high on our installations. Our host has a different way of installing WP. The hackers take advantage of the standard WP instructions on installations.
The infiltration had to be through my theme. It’s the only “what’s unusual” between my blog and the others, and I’m trying to figure out how to break the new to the lad who wrote the theme.
I’ll query Lynn on this one. Thanks.
I hope you’ve licked it. I have had some very minor incursions an my blog, Natural History Notes, which have been comments that I suppose advertise porn sites. Since they are entirely in Japanese characters, I don’t know for certain, but when I unwisely clicked on one, I got a page of Girls! Girls! type pictures. My comments, of which there are almost none, are moderated, so every now and then I get an e-mail that Anonymous has left a comment on such-and-such a post, and I check, and if it’s all characters and I can’t read a word, I reject it. Bit hard, I suppose, on any genuine Japanese appreciater of my little blog, but them’s the breaks.
If it ever escalates, I may have to learn if there’s something else I can do. Writer Joshilyn Jackson’s delightful blog, Faster than Kudzu, was offline for several days once when she was, as she said, “drowning in a pink gelid ocean of fine Hormel canned food product.” But since she was forced to get the upgraded software she coveted, she ended up happy ;-)
I’m looking forward most eagerly to your Rings, and to the young Wesley. And Sergei (and his cat) — pretty please? (my cousin asked, “Is the cat a vampire too?” I had to tell her that I’ve no clue, but look forward to finding out!
Definitely, Cat is a vampire. For all I’ve been able to figure, Cat might have helped create Sergei!
Certainly Cat has been around as long as Sergei has. I’ve managed to come up with what I think is a pretty cool, non-standard Vampire mythos, which will, of course, make me totally non-commercial. 
But I think Cat is going to be on the cover…along with the owl. And the moon. That should get all the necessary tropes…oh, except a wolf. No wolves in mine, at least not yet. Probably not ever. But there is a horse named Bucephalus. 
Oh…your Japanese spam sounds kinda funny, as long as there’s no more than what you describe!
There are things that can be done at the WP installation level to protect you from incursions. This problem is definitely related to the theme I chose, which I believe gave a foothold for the bots to insert their links. I’ll probably eventually go over to something based on the constructor theme like I used on CC, which allows for lots of variety, but I need time to make all the visuals for it, and that’s not happening any time soon. So as long as there are no more manifestations, I’ll stick with this theme. If the problem recurs, I’ll have to put the change up to the top of the priority list.