Solution for the link injection spam from basicpills

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

How to run it?

  1. Right click on this link and save as spam-postremoval.txt
  2. Rename the file to spam-postremoval.php and upload to your site via FTP (or SFTP)
  3. Open your browser and go to
  4. Let the script run and you are all set!

That should remove the malicious links from all your posts. If you need any help, send us an contact us via email – Sucuri Security Plugin to harden your WordPress web sites (just go to the 1-click hardening menu in the plugin).

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Sven

    Thanks for the removal tool.

    I have yet not received injections of spam or new admins, but would like to be able to prevent theme for entering spam directly to my database and to add new administrator.

    How do I do that?

  • Secure site

    Thank you very much!

  • George

    the script removed all spam, but all my special characters from my posts like ăîţş were transformed into “?”

  • Pingback: Hacked()

  • bcmom

    Thank you!  I’ve only recently begun using WordPress, and this has been happening repeatedly.  It has been a pain to either edit each post or delete them all and restore from a back-up.  I don’t understand how this works, but it seems to have removed the spam links.

  • sara

    Am I making a mistake? The script won’t run…it takes me to gray screen that lists the contents of my server.

  • Asbjorn


    There is a bug in the script , the title is not ended, and  the end of the script should have /pre /body /html

    There are also way more sites than in the version you can download here.

    I have sent an updated script to Sucuri support

  • Rick Greer

    Thank you very much!!! I really appreciate this! 😀

  • Tozzophoto

    Can this be updated to reflect all the URL’s currently in their injection?

  • todd

    The link provided to the spam-postremoval.txt file is dead. Any possible way to get an updated working link? Would be of great help. Thanks!

  • Happy

    Is this file still valid? I’m having trouble downloading it.

  • Nick Renwick

    Hi Guys, Dead link to the spam-postremoval.txt file, any chance anyone has a copy?

Share This