Skip to main content

Fun with a baffling WP security issue

One of the secret joys of being a techie is when you have a problem that baffles the experts in a field. It doesn’t happen often, and it’s frequently an aggravating experience, but in retrospect it can be shared as a war story and as a way of boosting your geek cred.

Earlier today I got an email from the web security experts at Sucuri, and it reminded me about a baffling security issue which I had never shared publicly. Since the problem has long since gone away (or at least I think it has) I thought it would be interesting to share a problem which I was unable to resolve even after I hired security experts.

In February of this year I discovered, quite by accident, that my blog had picked up a new ad. Anyone visiting my blog from an Android device got to see an ad for White Castles overlayed across the bottom of the screen. It looked like this:

click to embiggen

click to embiggen

I first saw that advert while I was on a trip while using the Wifi network at a conference center, so I initially thought that the center had injected the advert. But then I saw the ad in my hotel room, and after I got confirmation on twitter that others could see it I realized that I had a more serious problem.

That is not my advert, which very likely means that someone hacked my website somehow. (If you run a website you can probably understand the overwhelming sense of panic which accompanied that conclusion.)

I immediately set out to solve the problem. Here’s what didn’t help:

  • To start, I checked Google Webmaster Tools. This isn’t strictly a security tool but it does keep an eye out for malware and sometimes it will flag an issue. No such luck.
  • Next, I went through my blog’s theme and looked for any code which didn’t belong. Nada.
  • Then, I double-checked that none of my plugins were misbehaving or tied to reports of malware. Zip.
  • Also, I checked to see if I could find a suspicious file uploaded to my site without my knowledge. Bupkus.
  • Finally, I installed a couple different security scanning plugins (one at a time) and had them look for issues. Zilch.

That is all the security troubleshooting I could think of, so I decided to hire an expert and tell them to fix it.


On the advice of a friend, I signed up for a year’s service with Sucuri. This company provides website monitoring and malware cleanup. They cost $100 a year (for a single site), a price I was willing to pay to get this fixed.

After Sucuri’s regularly scheduled scans failed to find anything wrong, I filed a support ticket and pointed them at the problem. I gave them the screenshot, explained how to recreate the issue, and gave Sucuri FTP access to my blog.

They couldn’t find it.

Oh, Sucuri found all sorts of non-issues, including code for inactive websites which I had never bothered to delete, but they couldn’t find what was injecting the advert into my blog. On the plus side they also didn’t find any evidence of malware which could threaten my visitors, but that is a small consolation.

I was never able to solve this problem, so what I should have done next was to publicly ask for help (or, if i wanted to throw money at the issue, perhaps hire a second expert). I honestly can’t tell you why I didn’t, but that’s neither here nor there.

The problem has since gone away. I can’t tell you how, but somewhere in the process of switching webhosts, changing my blog theme, and the general cleanup maintenance I performed in July, that advert went away.

Or at least I think it has.

If you see that advert, let me know so I can try to fix the issue – again. You might also forward it to any web security experts you know; I bet they would be interested.

And if you know what was causing the problem, please leave a comment. Even at this late of a date, I would love to know how this happened.

images by IntelFreePressAZRainman

Similar Articles


John Christian Hager December 7, 2014 um 7:27 am

Did you contact White Castle? Maybe it’s a known issue for them. Good luck and thanks for all the hard work you do on this blog.

Nate Hoffelder December 7, 2014 um 12:42 pm

Yes. I didn’t get a response.

John Heckendorn December 7, 2014 um 8:15 am

I’d bet the "switching webhosts" is the key event. Did you contact your webhost at the time to ask about this? Remember that your landlord has a key to your apartment, and all kinds of shenanigans can ensue if they’re trying to make some bucks on the side.

Nate Hoffelder December 7, 2014 um 8:22 am

I honestly didn’t try; I would have been given the run around by tech support, which wasn’t very competent in the first place. It wasn’t worth the frustration.

NoNeedForAName December 7, 2014 um 6:39 pm

Hypothesis/conjecture: A SQL injection attack may have allowed a hostile party to embed offsite ad server URLs. When you preformed WP maintenance, those associated (tables? fields?, etc.) {sh/w}ould have been automatically culled by the WP update script (eg: deleted the invalid records).

An interesting case. I would have enjoyed running some regex against a DB dump. Ah well.

Unsolicited advice: I assume your host uses some version of GNU/Linux. If so, setup(/ask them to provide) automatic daily backups of: your database, WP system files & uploaded content (eg: images) as three individual "tarballs" scheduled thru cron. Apologies I have nothing more specific ATM; I’m a Drupal man, myself.

Nate Hoffelder December 7, 2014 um 6:47 pm

An SQL injection attack is a possibility. I have the remnants of several "posts" sitting in my DB that I didn’t create and can’t delete. I only found them in the past month or so. Do you think they could be related?

And I have cleaned up the database a couple times since I found that advert.

sum guy December 8, 2014 um 10:01 am

Did you even bother to perform a wget to download a copy of the web-code that was being served to you, so you could analyze every URL and see which one was the source of the rogue advertizement?

When I browse the web, I can look at the outgoing traffic log my router keeps – this tells me the various hosts that my machine is looking up during the course of browsing. From this, I add TONS of entries to my HOSTS file – so my computer becomes incapable of contacting these garbage servers (serving ads, tracking me in various ways, etc). If you had done this, you would have been able to at least identify the host machine or domain that was serving your rogue white castle ad.

Nate Hoffelder December 8, 2014 um 10:11 am

The ad only showed up on Android, which made debugging difficult.

I have the URL which the advert sent me to, but I wasn’t able to identify the owner or ad network.

Lenovo Installed Malicious Adware on Customers' Computers – Here's How to Remove it ⋆ Ink, Bits, & Pixels February 19, 2015 um 9:29 pm

[…] put it simply, Lenovo was doing to their customers what someone (my previous webhost, I think) did to my blog. In this case the adverts were being injected by a piece of adware called Superfish, which […]

Write a Comment