Regex To Remove Spam Links from WordPress Website

February 18, 2014
Code, Wordpress
0 Comments
paris

paydayloanscam Recently a wordpress site had multiple SQL injections into the content randomly throughout the 100 or so blog posts as per right. These included generic keywords such as :

levitra
cialis
payday
viagra
pharmacy
pfizer

The sites it linked to where :

Source code

http://masagro.mx/index.php/en/payday-loans-in-goldsboro-nc
http://simlesa.cimmyt.org/index.php/payday-loans-indiana
http://www.redclara.net/generic-viagra-us/
http://greatvines.com/cialis-online-fda
http://www.crackunit2.com/purchase-cheap-levitra/

Going through these with Search and Replace plugin was going to take ages , so I tried to look for a regex script. I can across the following , curtious of https://managewp.com/clean-link-injections-hacked-websites however this only looked for cetrain Div Tags. I needed something to remove Hyperlinks containing the above keywords. I modified the code to the below and placed into the functions.php file and ran with preview on then off and went through the keyword list. Cleared about 1000 links!!

Source code

//Enter keyword below to check for in hyperlinks ( the whole link )
    $spamkeyword = "spamkeyword";
 
    // By default only preview infected posts. Change to 0 to clean posts
    $preview_only = 1;
 
    // This is the pattern to search and replace with blank
    $pattern = '%<a href=[\"\'][^"]*?'.$spamkeyword.'.*?[\"\']>.*?</a>%';
 
    // This is the query to find suspicious posts using fast SQL query
    $query="SELECT ID, post_content from $wpdb->posts where post_content LIKE '%$spamkeyword%'";
 
    global $wpdb;
    $num_cleaned = 0;
 
    $posts = $wpdb->get_results($query);
 
    echo "Suspicious: ".count($posts)." ";
 
    if ($preview_only)
      echo "Post IDs: ";
 
    // go through all suspicious posts
    foreach ($posts as $post)
//echo   $post->post_content;
    {
        if (!$preview_only)
        {
            // try the pattern
            $new_content=preg_replace($pattern, '',  $post->post_content);
 
            // update the cleaned content
            if ($new_content!=$post->post_content) {
              $wpdb->update(
                $wpdb->posts,
                array(
                    'post_content' => $new_content
                ),
                array( 'ID' => $post->ID ));
 
                $num_cleaned++;
            }      
        }
        else echo $post->ID." ";
 
    //UnComment Below to See Results of Preview before comitting
    //echo preg_replace($pattern, '',  $post->post_content);
    }
 
    if (!$preview_only)
      echo "Cleaned: $num_cleaned";

Upon searching for help with this , I did have to smile at the irony of the Regex Help Website being hacked in the same fashion , although obviously all clear now!

(No Ratings Yet)