My initial (useless) response to this knowledge was indignation. “How could my site be infected? It’s well groomed, fed, and practices safe sex!” Still, I searched the site’s code, did a few updates, changed some passwords, and assured myself the site was clean. I informed Google as such – but my pleas were ignored. Feh.
Next I requested “review” from StopBadWare – and received a note informing me of certain evil residing on “/page/2” of my blog. Sigh. But this bit of information was helpful – more precise than the generic “your site = bad” delivered by Google. With that knowledge in hand, I searched again – this time focusing on the posts and comments contained on that page – not the WordPress code itself.
And voila! I found the evil, and it looks something like this:
That image still contains the actual IP address and web address from the original code. I’d NOT suggest punching those into your browser.
If you too have been hit by the “This site may harm…” message – then here’s how I solved my problem:
1. Send a request for review to stopbadware.org – they should reply with details on where and what to look for.
If you suspect you’ve been hit with the same code I was then:
2. Use the search function of WordPress to look for “wp-stats” or “Traffic Statistics”.
3. Edit the offending post’s code, and remove the chunk related to “Traffic Statistics”.
I hope that while my site was infected it didn’t pass anything along to my readers. I’ll do my best to keep an eye on this stuff from now on.