We were doing routine maintenance on a client’s WordPress website when we noticed that they’d installed a plugin. Installing plugins is something we don’t normally encourage (or even allow) our clients to do but there are of course exceptions to the rule. We wanted to learn more about the plugin so we could determine if it could safely be removed and to cut a long story short we ended up going through the code itself only to find the plugin displays, without permission, a hyperlink to an external website. This was ad injection.

(Note that for the remainder of this article I will refrain from linking to websites affiliated with the plugin because I don’t want to give them any more Google juice. I will include the full URL for those who are interested to see for themselves)

The plugin in question is “Advanced Facebook Likebox Shortcode” by one Alan Ferdinand of sparxseo.com. The plugin was once available on WordPress.org but no longer (https://wordpress.org/plugins/advanced-facebook-likebox-shortcode/). The code is still there so anyone with the know-how can download it and re-create the plugin. If you browse the code you’ll find the culprit on line 64:

if($author != "true"){
$data .= "
<div style="font-size: 9px; color: #808080; font-weight: normal; font-family: tahoma,verdana,arial,sans-serif; line-height: 1.28; text-align: right; direction: ltr;"><a style="color: #808080;" title="click here" href="http://www.advantagebusinessvaluations.com/" target="_blank" rel="noopener">how much is my business worth</a></div>
return $data;

The code is wrapped in an if-statement but if you scroll a little higher you’ll see that the conditions are set to enter the if-statement by default (see line 28)

Doing a site-restricted search on Google shows 3 other plugins by the same author and all inject a hyperlink to an external website though they each linked to a different website. We saw links to corporatecostcontrol.com, advantagebusinessvaluations.com, pacrimauto.com and backpainfreeme.com. One of the plugins, Advanced Twitter Followers Shortcode, still had a valid page at WordPress.org until we reported it.

How could ad injection affect my website?

It could hurt your brand. Imagine having these hyperlinks go to adult websites. What would your customers think?

It could hurt your Search Engine Rank. By linking to a website you are telling Google and other search engines that you advocate that website and its content. If search engines deem that website bad, your website could be guilty by association.

It could infect your visitor’s computers with malware. The ad injection we found was relatively mild but there are more serious forms that try and load malware and other dangerous software onto your website visitor’s computers.

How can I protect my website against ad injection and other security threats?

It doesn’t matter if your website uses WordPress, Joomla, Drupal or another Content Management System (CMS), plugins are designed to be easy to install so that anyone can add functionality to their website. And eventhough each CMS has their own process of vetting plugins, every so often one will slip through the cracks. You need experienced eyes on your website to keep it safe from the dangers lurking out there on the Internet.

Caveena Solutions has nearly 2 decades of experience working with websites, Internet technologies and programming code. All websites that we manage receive our constantly evolving list of security rules protecting them from online threats. We provide technical maintenance for these websites to ensure they continue to run smoothly for your peace of mind. And as an added measure, we have automated backup procedures for which store backups off-site.


Contact Caveena Solutions and protect your website today!