WordPress Hacked, Used as Search Engine Landing Page

Blog moved to AWS Lite Since last week, I have been unable to access the blog. This has happened several times recently. I caught it today and searched the web server log.

Eventually, I found traces of my blog being hacked and being used as a landing page for search engines and being used for DDoS attacks using xml rpc. Looking at the file date, it was hacked last month, but now I know.

I don't know how AWS knew and blocked external access to my instance. Block xml rpc attacks, etc.  I fixed this and put it together so you can find it later.




Server connection error

When I tried to access the blog, a gateway error occurred after a while and I could not connect.

Server CPU usage is normal and console connection works well, but gateway error occurs. It seems to be blocked inside AWS.

When I tried to issue a ticket to contact Amazon, I had to pay a pretty high price. Just in case, after taking a snapshot, I created a new instance with this and it worked normally.



Request content not on my server in web access log


Looking at the web access log, there are many content requests that are not in my blog as shown below.


msnbot-40-77-167-4.search.msn.com – – [19/Jun/2021:23:46:22 +0000] “GET /womens-reusable-fashion-cute-little-critter-face-masks -sealed-5-piece-set-new-p-265142289039/ HTTP/1.1” 200 247
msnbot-207-46-13-114.search.msn.com – – [19/Jun/2021:23:46:26 +0000] “GET /nightwear-ana-p-144039310345/ HTTP/1.1” 200 247
msnbot-207-46-13-114.search.msn.com – – [19/Jun/2021:23:46:28 +0000] “GET /shikien-tongue-brush-w-1-double-one-color -random-japan-795864726042-p-144014560679/ HTTP/1.1” 200 247
msnbot-40-77-167-33.search.msn.com – – [19/Jun/2021:23:46:28 +0000] “GET /o-scale-k-line-k675-7401-tf-vat -car-toy-fair-2000-p-264257908221/ HTTP/1.1” 200 247


It's msnbot-40-77-167-4.search.msn.com, so it's requesting a url that doesn't seem like the msn search bot.


Use my blog as a landing page for search engines

When I look at the requested URL in a web browser, I get the following:

The bottom of the page is my blog, but the top is a page I don't know.


When I search msn by title, my domain comes up as shown below.




wp-news.php file is installed

There was an unfamiliar file in the wordpress directory. I haven't seen wp-news.php. When I opened it, it was not a WordPress program, but a program that was hacked and planted.

The wordpress php file name is like this: wp-config.php, but the file name is created like a wordpress file. Crackers are also clever.

I searched wp-news.php and it was not found yet.



Redirected to their sitemap instead of my sitemap and post

I added a redirect to wp-news.php in .htacces and changed the sitemap.

The following is the content added to the .htaccess file.

RewriteEngine On RewriteBase / RewriteRule ^.*-n-(\d+)/$ wp-news.php?n=$1&%{QUERY_STRING} [L] RewriteRule ^.*-p-(\d+)/$ wp-news .php?p=$1&%{QUERY_STRING} [L] RewriteRule ^.*(sitemap\.xml)$ wp-news.php?sitemap=xml [L,S=10000] ~ ~



So, their content, not my article, was exposed to the search engine, and when they landed in the search engine, they redirected and their article was exposed at the top of my article.



Hacking to expose content using my blog search ranking and my server

It's not about hacking and destroying the site or asking for money like ransomware, it's just hacking using the search rankings of my blog and using the resources of my server.

If this persists for a long time, search engines such as Google block search exposure. In the end, my blog, which is 16 years old, is not exposed in Google searches.

I've had something like this happen before. When connected from PC web, it looks normal, but when connected from mobile, abusing content such as mp3 sales was shown. Fortunately, I cleared the hacked code before Google blocked my site, and I fixed it by re-indexing in Google Search Console.



I don't know how I planted this

I usually do it through a plug-in, but I couldn't find which plug-in had the problem.

🥺 it's embarrassing




Fortunately, it didn't break my site code, so I deleted the hacking codes and restored the changes. Then, I changed the permission of the file to read-only so that it cannot be accessed by plugins or themes again.


Delete wp-news.php file

I deleted the file because it was hacked and installed. If you look at the permission, it is daemon permission.


-rw-r–r– 1 daemon daemon 6364 May 15 06:00 wp-news.php



.htaccess file

I deleted the code that redirects to wp-news.php in .htaccess. It's a pity that I couldn't put the original text in because I deleted it right away without making a backup.

Changed the .htaccess file permission to read-only to 444. This way I can't even use it in my security plugin.


I searched this file and found several places. Removed unused plugins and folders.

find . -name .htaccess ./wp/.htaccess ./wp/wp-content/uploads/wp-migrate-db/.htaccess ./wp/wp-content/uploads/.htaccess ./wp/wp-content/updraft/ .htaccess ./wp/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/.htaccess ./wp/wp-content/plugins/akismet/.htaccess ./wp/wp- content/.htaccess ./wp/wp-content/cache/.htaccess ./.htaccess


I have this file because I still have to block ip in .htacces and redirect within wordpress, but php 7 doesn't need it, so I'll see if I can catch another day and get rid of it.



Update plugins to the latest version and disable unused plugins

It is said that the hacked code is planted during the update after being hacked during the plug-in, or it is hacked through a plug-in with weak security.

I disabled plugins I don't use, but I guess I'll have to reduce them further.



upload, check if there are any strange files in the theme folder

Strange files were called in the upload folder and the theme folder before. When I looked at the access log this time, there was no such file request, but I checked visually whether there were any strange files in the folder.


IP blocking

IPs that call strange URLs or xmlrpc.php are blocked from accessing. First, I used .htaccess .

After blocking the access to the ip, the CPU usage decreased and it entered the sustainable area.





It's been about 16 years since I've been running a blog with WordPress, but I was bothered by it, so I set the permission to 755 and got it.

It would be good if the admin connection itself could not be accessed from the outside, but this problem seems to continue as long as my connection does not have a static IP.

Security is usually inconvenient, but accidents can happen if you don't prepare in advance. But it seems that only after losing the cow will the stable be repaired.


0 If you like the article, please click the heart~ It will be a strength to bloggers (SNS/login/advertising is not related)

Articles you might like

108 times Jeoldong-jeom-jeom-jeom site
108 times counter that automatically recognizes and counts by voice

Add a Comment

Email addresses are not disclosed. Required items *is indicated by

This posting is part of Coupang Partners' activities, and a certain amount of commission is provided accordingly.

If you click the Add Channel button, you can view it in the KakaoTalk view.