I’ve been doing WP for over a decade now, and have fixed / remediated my share of hacks. However this one really has me stumped..
I have a site running on updated, patched, and pretty darn secure WordPress. For context, it used to NOT be so secure before I took over hosting it. It used an old theme, Experon Pro (this will come into play later) before I rebuilt it in 2020.
Now to the hack — The site has a BUNCH of URLs that are complete spam, mostly about CBD oil and such. They look like blog posts, sorta. Except they’re referencing the OLD template Experon Pro. They’re browseable URLs, return 200 and all that. However, these posts / spam content:
- Do not exist in the WordPress database anywhere
- Are not referenced in htaccess or similar
- Are not redirected using some altered file or hacked plugin.
The thing that’s got me wondering is that the posts are using the old template (although, to be fair, all the links to the CSS files, JS files, etc that that old template would’ve loaded 404.)
It’s almost like there’s an old cache of URLs that are being served up from the domain. There are NO cache plugins running, only PageSpeed. And I’ve cleared and disabled PageSpeed like a thousand times.
Has anyone ever seen anything like this? I’ve scanned the entire file system and database for any mention of this content, and have come up completely empty.
Is it possible that their DNS or maybe some old CloudFlare integration got hacked, and the domain is serving up spam ONLY from certain subfolders? All of the spam posts have a subfolder, and then the spam post’s name.. Such as /cbd-topicals/spammy-post-name-here
Any ideas at all? I’m desperate!