I checked the state of this blog on the weekend. Instead of getting the usually blog content Firefox browser showed warning screen with red colors that this blog could be potentially dangerous! Safe Browsing said: ” Site is listed as suspicious , and visiting this web site may harm your computer. Part of this site was listed for suspicious activity” and “Has this site hosted malware? No. This site has not hosted malicious software over the past 90 days”.
What had happened? Does my site spread malware or what? And how I can fix that? Why is this? Safe Browsing page had a clue: ” In some cases, third parties can add malicious code to legitimate sites, which would show the warning message.” That’s what happened here. It’s possible for good sites to be infected with badware without the site owners’ knowledge or permission.
The situation could be compared to one described in WordPress support discussion: WP site just recieved malware warning: “I logged into my google webmaster account this morning and it gave me the message, we have found malware on your site. It gives me the list of pages that they found the malware and said it was code injection.”
To look at the problem in this site I used the following on-line tools: Google Webmaster Tools and Sucuri SiteCheck Free Website Malware Scanner. Google Webmaster Tools gave good idea where in the page code the problem lies. The next task was to find what part of WordPress generates this code. In this task logging to Linux command prompt and using “grep -r” helped to locate the right file in WordPress tree. The problem was in footer.php. I removed the link that caused the problem.
Finally I did check again with Sucuri SiteCheck Free Website Malware Scanner and checking page source code (download with wget and do search with grep). When problem was removed I needed to do the last step: use Google Webmaster Tools to notify Google that the problems are fixed and they can start to analyze the page again. When they see that issues are fixed they remove the warning.
Things are now right and fixed. To my knowledge no sensitive information was leaked or malware has been installed to user computers. Everything is fixed and this site was not hacked.
The thing to learn about this incident is to be more careful what third party parts to include to the site. Sometimes things that were once good can turn bad without you doing nothing (site turns bad or gets hacked). And external resource that is marked bad and linked to your page can taint your web site also (meaning Google can mark it dangerous).
Some more useful resources: Harden your WP installation and What is a “security” issue? and My site has badware: How do I know if my site is infected?