How a fishing guide's WordPress site became home to half a million fraudulent pages

Ned Desmond shares the scary story of how a small site he managed that advertised fishing expeditions ended up with 565,192 scam pages. He also suggests five ways to avoid the same fate.

Cape Cod guide Eric Staplefield didn't even have e-commerce on the site. Most of it was pictures of fish that his guests had caught. Desmond brushed off the first few calls from Eric about the site. But when he took a look, Google clearly thought the site was compromised.

Next I got in touch with Jennifer Zelazny, the WordPress developer who set up the site and had worked on it from time to time. She agreed to dive in. What she found was nasty. Hackers had accessed the site either directly through WordPress or through a plug-in on the site. She found at least 20 suspicious WordPress core files. There were also non-core files on the site with file names like "list.php" and "apis.php," which to an average user might not have raised any red flags. Their names looked typical, but the time stamps were all recent — since July 2016 — and upon further inspection revealed redirects to other sites. She deleted the files, reset passwords, updated the secret keys in the wp-config, cleaned up other valid files with malicious code and then ran scans with Exploit Scanner and Sucuri SiteCheck scanner to ensure she found every bit of malware.

How hackers turned a Cape Cod fishing guide's site into a host for e-commerce fraud (Ned Desmond / TechCrunch)

Image: Moyan Brenn