If you’re finding random links to malicious or spammy sites on your WordPress website, it can be very frustrating to find the source.
In a recent case, a WordPress website was injected with random text links to gambling and casino sites in the body of any WordPress page/post text. These linked to iFrames hosted on the top level domain; they appeared to be hosted within WordPress. To make matters worse, these links only appeared when you were not logged in. So if you are typically logged into to WordPress, you may not notice them.
This website had not had any new code, themes, or plugins added in the last few months; so it was unlikely that the issue came from a recent installation.
If you want to read the solution, skip to the end of this post.
Troubleshooting
Security Plugin Scans
I ran iThemes Security, Sucuri, Siteguarding.com, and Wordfence scans and nothing was returned. I even had some of the scans look in the database for encrypted entries.
Recently Changed Files
I checked for recently changed or created files and came up dry. What was strange is that these links were a relatively new addition to the site, but nothing had been modified in the files.
Deactivate Plugins
Normally, you deactivate your plugins one at a time to spot the culprit. However, I deactivated them all and the problem persisted.
Reinstall WordPress Core
You can reinstall the core WordPress files from the WordPress update screen. This replaces all the core files with a fresh copy from WordPress.org. This did not fix the issue.
Change to Default WordPress Theme
I activated the Twenty Fourteen default WordPress theme and the malicious links went away. So I then knew the problem was an issue in the theme.
The Fix
I finally came across the Anti-Malware and Brute-Force Security by ELI WordPress plugin that provided some direction. It found a suspicious php include in the functions.php:
<php include('images/social.png'); ?php>
My default image reader was unable to read this social.png file. I opened it with a text editor and it was a bunch of encoded text.
Injecting PNG files with encoded php that load iframes is a newer tactic being used today. You can read more about it on threatpost.com. If you want to read more on the subject, search “iframe PNG virus” or “sneaky social.png”.
Summary
Be careful where you download themes and plugins from. Sometimes you can download premium themes and plugins for “free” (referred to as “nulled”). This can be dangerous as they are usually spread around by an original source that has setup their own backdoor into your site. As a test, I did a random search for a free premium Woothemes theme and found the exact same problem as above with the social.png include in the Child theme’s function.php file. This seems to be a very common tactic.