Fun with a baffling WP security issue

7853146846_7b45520dbd_m[1]One of the secret joys of being a techie is when you have a problem that baffles the experts in a field. It doesn't happen often, and it's frequently an aggravating experience, but in retrospect it can be shared as a war story and as a way of boosting your geek cred.

Earlier today I got an email from the web security experts at Sucuri, and it reminded me about a baffling security issue which I had never shared publicly. Since the problem has long since gone away (or at least I think it has) I thought it would be interesting to share a problem which I was unable to resolve even after I hired security experts.

In February of this year I discovered, quite by accident, that my blog had picked up a new ad. Anyone visiting my blog from an Android device got to see an ad for White Castles overlayed across the bottom of the screen. It looked like this:

click to embiggen

click to embiggen

I first saw that advert while I was on a trip while using the Wifi network at a conference center, so I initially thought that the center had injected the advert. But then I saw the ad in my hotel room, and after I got confirmation on twitter that others could see it I realized that I had a more serious problem.

That is not my advert, which very likely means that someone hacked my website somehow. (If you run a website you can probably understand the overwhelming sense of panic which accompanied that conclusion.)

I immediately set out to solve the problem. Here's what didn't help:

  • To start, I checked Google Webmaster Tools. This isn't strictly a security tool but it does keep an eye out for malware and sometimes it will flag an issue. No such luck.
  • Next, I went through my blog's theme and looked for any code which didn't belong. Nada.
  • Then, I double-checked that none of my plugins were misbehaving or tied to reports of malware. Zip.
  • Also, I checked to see if I could find a suspicious file uploaded to my site without my knowledge. Bupkus.
  • Finally, I installed a couple different security scanning plugins (one at a time) and had them look for issues. Zilch.

That is all the security troubleshooting I could think of, so I decided to hire an expert and tell them to fix it.


On the advice of a friend, I signed up for a year's service with Sucuri. This company provides website monitoring and malware cleanup. They cost $100 a year (for a single site), a price I was willing to pay to get this fixed.

After Sucuri's regularly scheduled scans failed to find anything wrong, I filed a support ticket and pointed them at the problem. I gave them the screenshot, explained how to recreate the issue, and gave Sucuri FTP access to my blog.

They couldn't find it.

Oh, Sucuri found all sorts of non-issues, including code for inactive websites which I had never bothered to delete, but they couldn't find what was injecting the advert into my blog. On the plus side they also didn't find any evidence of malware which could threaten my visitors, but that is a small consolation.

I was never able to solve this problem, so what I should have done next was to publicly ask for help (or, if i wanted to throw money at the issue, perhaps hire a second expert). I honestly can't tell you why I didn't, but that's neither here nor there.

The problem has since gone away. I can't tell you how, but somewhere in the process of switching webhosts, changing my blog theme, and the general cleanup maintenance I performed in July, that advert went away.

Or at least I think it has.

If you see that advert, let me know so I can try to fix the issue - again. You might also forward it to any web security experts you know; I bet they would be interested.

And if you know what was causing the problem, please leave a comment. Even at this late of a date, I would love to know how this happened.

images by IntelFreePressAZRainman

About Nate Hoffelder (10603 Articles)
Nate Hoffelder is the founder and editor of The Digital Reader:"I've been into reading ebooks since forever, but I only got my first ereader in July 2007. Everything quickly spiraled out of control from there. Before I started this blog in January 2010 I covered ebooks, ebook readers, and digital publishing for about 2 years as a part of MobileRead Forums. It's a great community, and being a member is a joy. But I thought I could make something out of how I covered the news for MobileRead, so I started this blog."

8 Comments on Fun with a baffling WP security issue

  1. John Christian Hager // 7 December, 2014 at 7:27 am // Reply

    Did you contact White Castle? Maybe it’s a known issue for them. Good luck and thanks for all the hard work you do on this blog.

  2. I’d bet the “switching webhosts” is the key event. Did you contact your webhost at the time to ask about this? Remember that your landlord has a key to your apartment, and all kinds of shenanigans can ensue if they’re trying to make some bucks on the side.

  3. Hypothesis/conjecture: A SQL injection attack may have allowed a hostile party to embed offsite ad server URLs. When you preformed WP maintenance, those associated (tables? fields?, etc.) {sh/w}ould have been automatically culled by the WP update script (eg: deleted the invalid records).

    An interesting case. I would have enjoyed running some regex against a DB dump. Ah well.

    Unsolicited advice: I assume your host uses some version of GNU/Linux. If so, setup(/ask them to provide) automatic daily backups of: your database, WP system files & uploaded content (eg: images) as three individual “tarballs” scheduled thru cron. Apologies I have nothing more specific ATM; I’m a Drupal man, myself.

    • An SQL injection attack is a possibility. I have the remnants of several “posts” sitting in my DB that I didn’t create and can’t delete. I only found them in the past month or so. Do you think they could be related?

      And I have cleaned up the database a couple times since I found that advert.

  4. Did you even bother to perform a wget to download a copy of the web-code that was being served to you, so you could analyze every URL and see which one was the source of the rogue advertizement?

    When I browse the web, I can look at the outgoing traffic log my router keeps – this tells me the various hosts that my machine is looking up during the course of browsing. From this, I add TONS of entries to my HOSTS file – so my computer becomes incapable of contacting these garbage servers (serving ads, tracking me in various ways, etc). If you had done this, you would have been able to at least identify the host machine or domain that was serving your rogue white castle ad.

1 Trackbacks & Pingbacks

  1. Lenovo Installed Malicious Adware on Customers' Computers - Here's How to Remove it ⋆ Ink, Bits, & Pixels

Leave a comment

Your email address will not be published.


%d bloggers like this: