A couple of days ago, Google sent me an email complaining that my blog (this one) contained hidden text advertising viagra, and threatening to remove it from their index. To my surprise, they were right.
The HTML was coming from the WordPress code itself, somehow via the call to wp_footer() in the theme’s footer.php. My theme is a simple one based on the standard WordPress theme, so I don’t think the exploit is in the theme.
I wasn’t using the version of WordPress (2.1.1) that was known to be cracked, but I upgraded to the latest WordPress anyway (2.3.1). Two days later, it was cracked again. I noticed because the change broke the site, causing php errors. This time I got a diff of the change. (Ignore the missing files in plugins/. I made a mess of restoring my plugins when upgrading.)
Both times, it was trying to add HTML with a <div id=”goro”> block. wordpress.net.in seems to be involved too. Googling showed me that others (1, 2) have had the same problem, though I haven’t found any real fix to stop it happening again. I feel vulnerable.
Update: Here are some lines from the access log that seem to be relevant. I don’t know whether they are the original hack.