Spam link injection

That depends… Are these spam links in comments? My plugin does not handle comment spam, there are lots of great plugins specifically for dealing with spam comments.

If this not a comment based issue then, yes, in general, this is one of the types of threats that my plugin was designed to find. Make sure that you have the latest definition updates and run the Complete Scan, if it doesn’t find anything then maybe this threat has found a new way to conceal itself.

If your are looking for more than just a general overview then I would need more information to go on. The example excerpt you posted could be generated anywhere on your site and from almost any file on your server, or it could even have been injected directly into your database. The source code for a hack like this can vary greatly and can even be made to look like other legitimate PHP code, and it might in no way resemble the output you have found on your pages.

If it turns out that nothing malicious is found on your site but this unwanted injection remains then would you please be willing to provide more information, to start with: Where is this output found on your site (please include a URL so that I can see this output on the page)?

You can contact me directly if you don’t want to post any links on this public forum:

eli AT gotmls DOT net

With the help of Yoast support and @scheeeli, it seems like there is no infection in our database. The complete scan could find it, because it is not there. Lucky me!

Anyone can point any hyperlink to your domain, and there is nothing you can do about that.

But if anyone is having spammy backlinks or facing simular issues. These Yoast plugin settings can help you deal with the situation.

Regarding my previous message:

The complete scan could find it

should be

The complete scan could not find it

Thanks for the followup explaining your solution. I just want to clarify that no malware scanners found anything on this site because there was not any malware on the site to be found.

Furthermore, I would like to expand on true cause of this exploit and propose an alternate solution for those who do not use Yoast on their site. First, it is important to understand that this type of exploit uses the search results page on your site to produce a page that contain whatever text is supplied as the search phrase. Therefore, this technique only works if your theme is designed to repeat back the search text on the results page (which most are). The most direct solution in all cases would be to simply remove the output of the given search phase from the search results template of your theme, or just use a theme that does not carelessly print out on the page whatever text anyone happens to search for on your site.

To see if your site’s theme is susceptible to this exploit simply type your domain into your browser followed by this:

/?s=You+have+been+hacked

Don’t worry, you haven’t really been hacked, but you can then understand that you wouldn’t want just anybody to link to a page like this on your own site that could essentially say whatever they want to the visitors that follow such a link. Obviously, further consideration should be made when evaluating the way most themes handle this input/output relationship.