1

I help maintain a website for a church and we have just noticed that our Google results have somehow been spoofed. The result and links point to the church's website, but the text descriptions are all wrong. I have checked the actual code of the site (head is copied below) and nothing is amiss. There are no strange files on our server, nor is there anything wrong with the site itself.

My question is how is this possible and is there any way to correct it?

Google Results Screen Shot

<?php
/**
 * The Header for our theme.
 *
 * Displays all of the <head> section and everything up till <div id="main">
 *
 * @package WordPress
 * @subpackage Twenty_Ten
 * @since Twenty Ten 1.0
 */

global $fumco;
?><!DOCTYPE html>
<html <?php language_attributes(); ?>>
<head>
<meta charset="<?php bloginfo( 'charset' ); ?>" />
<title><?php
    /*
     * Print the <title> tag based on what is being viewed.
     */
    global $page, $paged;

    wp_title( '|', true, 'right' );

    // Add the blog name.
    bloginfo( 'name' );

    // Add the blog description for the home/front page.
    $site_description = get_bloginfo( 'description', 'display' );
    if ( $site_description && ( is_home() || is_front_page() ) )
        echo " | $site_description";

    // Add a page number if necessary:
    if ( $paged >= 2 || $page >= 2 )
        echo ' | ' . sprintf( __( 'Page %s', 'twentyten' ), max( $paged, $page ) );

    ?></title>
<link rel="profile" href="http://gmpg.org/xfn/11" />
<link rel="stylesheet" type="text/css" media="all" href="<?php bloginfo( 'stylesheet_url' ); ?>" />
<link rel="pingback" href="<?php bloginfo( 'pingback_url' ); ?>" />
<?php
    /* We add some JavaScript to pages with the comment form
     * to support sites with threaded comments (when in use).
     */
    if ( is_singular() && get_option( 'thread_comments' ) )
        wp_enqueue_script( 'comment-reply' );

    /* Always have wp_head() just before the closing </head>
     * tag of your theme, or you will break many plugins, which
     * generally use this hook to add elements to <head> such
     * as styles, scripts, and meta tags.
     */
    wp_head();
?>

<script src="<?php bloginfo('template_directory');?>/js/jquery-1.3.2.min.js" type="text/javascript" charset="utf-8"></script>

  <!-- Slider script -->
  <script src="<?php bloginfo('template_directory');?>/js/scripts.js" type="text/javascript" charset="utf-8"></script>

  <!-- Home page tabs -->
  <script type="text/javascript" charset="utf-8">
    $(function () {
      var tabContainers = $('div.tabs > div');
      tabContainers.hide().filter(':first').show();

      $('div.tabs ul.tabNavigation a').click(function () {
        tabContainers.hide();
        tabContainers.filter(this.hash).show();
        $('div.tabs ul.tabNavigation a').removeClass('selected');
        $(this).addClass('selected');
        return false;
      }).filter(':first').click();
    });
  </script>

  <!-- Script for TypeKit font implementation -->
  <script type="text/javascript" src="http://use.typekit.com/kgp1dfc.js"></script>
  <script type="text/javascript">try{Typekit.load();}catch(e){}</script>


  <!-- Facebook Wall Feeds -->
  <script type="text/javascript" src="<?php bloginfo('template_directory');?>/js/jquery.neosmart.fb.wall.js"></script>
  <link rel="stylesheet" type="text/css" href="<?php bloginfo('template_directory');?>/js/jquery.neosmart.fb.wall.css" media="screen">



  <!-- Scripts for implementing drop down menus -->
  <link rel="stylesheet" type="text/css" href="<?php bloginfo('template_directory');?>/css/superfish.css" media="screen">
  <link rel="stylesheet" type="text/css" href="<?php bloginfo('template_directory');?>/css/superfish-navbar.css" media="screen">
  <script type="text/javascript" src="<?php bloginfo('template_directory');?>/js/hoverIntent.js"></script>
  <script type="text/javascript" src="<?php bloginfo('template_directory');?>/js/superfish.js"></script>

  <script type="text/javascript">
    $.fn.setAllToMaxHeight = function(){
      return this.height( Math.max.apply(this, $.map( this , function(e){
        return $(e).height()
      }) ));
    }

  // initialise plugins
  jQuery(function(){
    jQuery('ul.sf-menu').superfish();

    adjustNavigation();

    $('.menu-col').setAllToMaxHeight();

    if ($('.accordion').length > 0) {
      $('.accordion .ac-header').click(function() {
        panel = $(this).parents('.ac-panel');
        $('.ac-content', panel).slideToggle();
      })
    }

    jQuery('.twitter-feeds a').attr('target', '_blank');

        $("#frmsga").submit(function() {
            var emailfilter=/^\w+[\+\.\w-]*@([\w-]+\.)*\w+[\w-]*\.([a-z]{2,4}|\d+)$/i;
            $("#txtname, #txtemail").removeClass('error-input');
            var is_valid = true;
            if ($("#txtname").val()==""){
                $("#txtname").addClass('error-input').focus();
                return false;
            }

            if (emailfilter.test($("#txtemail").val())==false) {
                $("#txtemail").addClass('error-input').focus();
                return false;
            }
            return true;
        });
  });

  $(window).resize(function() {
    adjustNavigation();
  });

  function adjustNavigation() {
    var padLeft = jQuery('#site-title').offset().left;
    jQuery('ul.sf-menu li:eq(0)').css('margin-left',padLeft+'px');

    jQuery('ul.sf-menu > li').each(function(index, value) {
      jQuery('li:eq(0)', this).css({
        'margin-left':padLeft+'px'
      });

      jQuery('li:eq(0) a', this).addClass('mnu-first');
    });
  }

  function sga_submit() {
    var emailfilter=/^\w+[\+\.\w-]*@([\w-]+\.)*\w+[\w-]*\.([a-z]{2,4}|\d+)$/i;
    $("#txtname, #txtemail").removeClass('error-input');
    var is_valid = true;
    if ($("#txtname").val()==""){
      $("#txtname").addClass('error-input').focus();
      is_valid = false;
    }

    if (emailfilter.test($("#txtemail").val())==false) {
      $("#txtemail").addClass('error-input').focus();
      is_valid = false
    }

    return is_valid;
  }
  </script>

  <style type="text/css">
    .single .<?php echo $fumco->news_page_id;?> {background-position: 0 -30px;}
    .single .<?php echo $fumco->news_page_id;?> a {color: #b27262;}
  </style>

</head>

1 Answers1

0

It's possible your site got hacked somehow. Look at the cached copy that Google has: http://webcache.googleusercontent.com/search?q=cache:S79-C5g4-2gJ:firstchurchorlando.org/+&cd=1&hl=en&ct=clnk&gl=us

Not only will you see tons of keywords and that your title tag has changed, but here is what's interesting and probably the source of the issue:

<!-- All in One SEO Pack 1.6.15.2 by Michael Torbert of Semper Fi Web Design[82,129] -->
<meta name="description" content="Duty Free Philippines Sale Items, Lucky Strike In Az @ Genuine Duty Free Cigarettes Online" />
<meta name="keywords" content="Duty, Free, Philippines, Sale, Items, Lucky, Strike, In, Az, " />

Investigate the all in one SEO pack plugin, change all website passwords... that should solve your issue

Jeff Wooden
  • 5,339
  • 2
  • 19
  • 24
  • 1
    one more thing, I would change your FTP credentials just incase... also, make sure you got your theme from a reliable vendor / download... i've seen issues with malicious code in free themes, and I'm not the only one: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/ – Jeff Wooden Oct 25 '12 at 15:03
  • Hum, ok. That looks like the issue then. Everything is correct, perhaps someone got in prior to the plugin/wordpress being updated? Since it's all correct on the site at the moment, do we just have to wait for Google to re-spider the site and update their records? And the theme was a custom one we hired out so it would be a much bigger issue if the theme had bad code in it. –  Oct 25 '12 at 15:10
  • 1
    That copy was cached from today, and the problem is definitely not fixed; whoever hacked it has it set to display that content when it detects a crawler user agent. Do this, in Chrome, open developer tools by pressing F12. There will be a gear on the bottom right, hit that, then under the User Agent drop down select Other... then put this in and you will see the content being outputted, it's still there!: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) – Jeff Wooden Oct 25 '12 at 15:20
  • Oh. Crap. Then I really don't have any idea what to do with this... Any other suggestions? –  Oct 25 '12 at 15:46
  • The content is possibly stored in your database, I would dump it and search for entries like "duty free philippines" to see if you find anything in there... you can also download all source files and run eset online scanner on the directory, it can find several http style hacks (http://www.eset.com/us/online-scanner/) also do a search of all files for PHP statements using the eval function... – Jeff Wooden Oct 25 '12 at 16:00
  • I found files on the directory that was the issue (coockies.txt and a folder with a bunch of crap in there) though I have read that there might be an .htaccess issue as well, but I can't find an .htaccess file on our server. I'll check the database. –  Oct 25 '12 at 16:02
  • Couldn't see anything in the database that matched any of the words on the messed up page. –  Oct 25 '12 at 16:09
  • 1
    it's possible that the content is base64 encoded and then decoded on the fly when it detects a search crawler... I just viewed it again and inspected network requests... there are no outside network request so it's somewhere written directly in your theme (or a plugin) or coming from your DB – Jeff Wooden Oct 25 '12 at 16:31
  • definitely check your .htaccess file, that is where these hacks usually live. – Gary Oct 25 '12 at 17:01
  • It was the .htaccess file that was sending to a cleverly titled wp-stat.php file, the contents of which were Base-64 encoded. Once those were deleted and the .htaccess rules were cleaned up, the issues went away. The FTP credentials have all been changed and the remote write access of the .htaccess file has been removed. Hopefully the issue has been fixed. Thank you. –  Oct 25 '12 at 19:47