Yesterday we received a site cleaning request where one of our customers was seeing spammy links, Payday Loans in this case, injected into their WordPress website page content. The links were only appearing when the site was visited by a search engine crawler. This is common when a site has been hacked.
An extract from the customer communication with personal info removed:
We look after a clients website [website removed] and believe that has been compromised.
Specifically, the issue is that when google or bing’s search bots crawl the site, they see some text injected into the top of the homepage. I have been using a user agent switcher to verify it’s presence but it was first spotted when we did a pagespeed test here: [removed] and it showed in their ‘preview’ screengrab on the desktop view.
This text seems isn’t always present and when it is there it’s only on the home url (not actually the page eg. if you visit [page removed] it doesn’t appear).
[snip]
For reference, the block of injected text appears under the site header (navigation etc.) and also in the body of our exit-intent popup:
Make Ends Meet With Payday Loans
It is often very easy to face any financial emergency if you have adequate money to pay for them. But, this can seem all too impossible if you often live from one paycheck to another. How will you be able to pay for your urgent financial emergencies? Most often than not, you can’t. Face the reality, when your job is unable to pay for your financial emergencies, it is best to turn to payday loan providers out there.
[rest of content removed including link to payday loans site]
It turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):
Third Party Text Links
Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.
By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.
404 to 301 – Copyright © 2016.
I’m reasonably sure that no sane webmaster would agree to:
- Cloaking, which is specifically banned by Google and will result in a search engine penalty.
- Allowing ads to be inserted into their site over which they have no editorial control, including PayDay loan ads.
We are contacting the WordPress plugin repository maintainers who will likely remove the plugin by the time you read this post. Now that you’re fully informed, we suggest you make up your own mind about whether or not you want to keep this plugin installed if you have it on your site.
As always we welcome your comments. Please note: We have disabled comments on this post due to the inflammatory nature of some of the comments we’re receiving.
All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
The post 404 to 301 Plugin Considered Harmful appeared first on Wordfence.