Description:
Spammy links injected into WordPress theme "credits" section after words Powered by WordPress. The links don't have anything to do with the site.
The section itself is usually hidden:
<style type="text/css">
<!--
#credits{
display: none;
}
-->
</style>
A typical "credits" section with spammy links:
<div id="credits">Powered by <a href="http://wordpress.org/"><strong>WordPress</strong></a> | Designed by: <a href="http://suv.reviewitonline[.]net/">suv</a> | Thanks to <a href="http://trucks.reviewitonline[.]net/">trucks</a>, <a href="http://suv.reviewitonline[.]net/infiniti-suv/">infiniti suv</a> and <a href="http://suv.reviewitonline[.]net/toyota-suv/">toyota suv</a></div><!-- #credits -->
Affecting:
Mostly WordPress sites.
Cleanup:
To resolve this issue, remove spam from the theme. They are usually located in the footer.php file. However, in many cases, the theme distributor added code that prevents you from removing the spmmy links. so you need to find and remove that code too.
Search for the following (or similar) code in functions.php and remove the highlighted part.
function wp_initialize_the_theme_load() { if (!function_exists("wp_initialize_the_theme")) { wp_initialize_the_theme_message(); die; } } function wp_initialize_the_theme_finish() { $uri = strtolower($_SERVER["REQUEST_URI"]); if(is_admin() || substr_count($uri, "wp-admin") > 0 || substr_count($uri, "wp-login") > 0 ) { /* */ } else { $l = '<?php if(is_home() || is_front_page()) { ?> | Designed by: <a href="hxxp://spammy-site.dom">spammy text</a><?php } ?>'; $f = dirname(__file__) . "/footer.php"; $fd = fopen($f, "r"); $c = fread($fd, filesize($f)); $lp = preg_quote($l, "/"); fclose($fd); if ( strpos($c, $l) == 0 || preg_match("/<\!--(.*" . $lp . ".*)-->/si", $c) || preg_match("/<\?php([^\?]+[^>]+" . $lp . ".*)\?>/si", $c) ) { wp_initialize_the_theme_message(); die; } } } wp_initialize_the_theme_finish();