WordPress Infected with the Pharma Hack? How to Detect, Clean and Secure your site from it

What is the Pharma hack?

Years ago, a client wanted me to remove a page from their WordPress site—a page regarding pharmacy products. I searched through the posts, pages, custom post types, and anything else I could think of, and I spent days assuring the client that no such page or post existed on their WordPress site.

They were painfully insistent and said that they had found a page while checking the search results for their site on Google. I checked the results myself and, much to my surprise, found the page that they mentioned. That page was linking to another domain that was selling medication online, but the URL was from my client’s site. I thought, “Well, this is probably an error on Google’s end, right?”

Wrong! It was the Pharma Hack.

So what, exactly, is Pharma Hack? WordPress Pharma Hack is a method of spam injection. Its purpose is to redirect visitors from an otherwise legit site to pharmacy vendor sites that are selling banned drugs (like Viagra, Cialis, Nexium, etc.) or generally offering prescription drugs – without a prescription.

It is very subtle—you can think of it as a parasite feeding off of the highest-ranking pages on the site to gain valuable links. You and your visitors will not see it. It doesn’t cause any visible malfunction, and I’ve yet to hear that such a hack caused the site to crash. It almost sounds harmless.

But that’s because it is a clever parasite – it needs a living host and doesn’t want to raise any suspicion and get noticed. Because it is so low-profile, it usually works behind the curtain for months and months before the site owners notice and remove it. It is also very likely to come back if not removed properly. It will slowly degrade your SEO and reputation into nothing, get you blacklisted on Google and probably cost you some (or a lot) of money. It’s not so harmless.

How can you tell if your WordPress site is infected by the Pharma Hack?

1. Use Google’s Advanced Search Operators

Since the hack is invisible to you, you must resort to one tool that will help you unmask it- the search engine. What you should do is open up Google.com and search for your domain name (just by typing in i.e. domain.com) or by using Google Advanced search operators like ‘site:yourdomain.com’,’inurl:yourdomain.com’, etc.

If you use the ‘site:yourdomain.com’ operator, Google will list your indexed pages. Some of the results might include Pharma Hack links like this:

If you want to be more specific, you can initiate the search using ‘inurl:yourdomain.com viagra’ (you should replace ‘yourdomain.com’ with your domain name, and you can also search for a different drug name).

On this page, you can find instructions on how to use Google Advanced Search Operators.

2. Fetch the page as Googlebot

Pages are only visible on search engines because the Pharma Hack is visible only to certain user-agents, like Googlebot. This means that even if you have found a page on Google that redirects to a pharmacy vendor site, you cannot see the hack even when viewing the page source because your browser has a different User-Agent string.

To view the page as it would be viewed by the Googlebot, you will need a browser Chome User-Agent Switcher or Firefox User-Agent Switcher add-on.

After you install your favourite browser User-Agent Switcher add-on, you should navigate to the page which showed as hacked on Google Search results. Then, the User-Agent string will need to be edited as follows:

The User-Agent string will need to be changed to one of these values:

• Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
• Googlebot/2.1 (+http://www.googlebot.com/bot.html)
• Googlebot/2.1 (+http://www.google.com/bot.html)

After that has been done, view the page source, and you will be able to see the redirect to a pharmacy vendor site:

Important: Don’t leave the User-Agent Switcher Add-on active. Since you will be imitating Googlebot, sites with proper security will notice it and block you temporarily or permanently.

How does the Pharma Hack work?

As mentioned before, you and your visitors will not notice any changes on the site whatsoever. The Pharma Hack will override the title tag and insert spam links into the page content. This modified title tag and spam links are only visible to search engines and search engine crawlers (like Googlebot). This method is called cloaking.

Where does the Pharma Hack hide its code?

Like most WordPress hacks, the Pharma hack stores malware in your site’s core, plugin, and theme files. In this case, the Pharma Hack also uses the database to retain persistence.

Through Malicious files in the WordPress default directories (core, plugins, themes)

The malicious files must be placed into your WordPress directory. They usually contain functions such as base64_decode() and eval(). In that sense, the Pharma Hack is no different than any other hack.

Through encrypted code in the WordPress database

What is different is that, with Pharma Hack, these functions are stored in the database as strings and encoded backwards, thereby making them much more difficult to find and eliminate. When the hack file is run, it pulls the strings from the database, decodes them, and runs them as functions.

For example, take a look at this:

JHBoYXJtYWhhY2sgPSAnVGhpcyBpcyBwaGFybWEgaGFjay4nOwplY2hvICRwaGFybWFoYWNrOwo=

It looks like gibberish, but when decoded with the base64_decode() function, it becomes:


<?php

$pharmahack = 'This is pharma hack.';

echo $pharmahack;

?>



Of course, the code I wrote is harmless and doesn’t do anything, but any malware code might look the same, like a random string of alphanumeric characters. It might set up a redirect on your site that might take your next visitor to a page that offers non-prescription Propranolol.

How to remove the Pharma Hack

As mentioned, the Pharma Hack consists of two parts: the hack files, which provide backdoor access and the encrypted code in the database.

To properly remove the WordPress Pharma Hack, you would have to deal with both thoroughly. If any of the files remain on the server, reinfection is simply inevitable, and you’re back to square one.

Before working on your WordPress site, make sure you take a backup of both your WordPress files(core files, themes, and plugins) and Database so you can restore them in case something goes wrong.

Tip: If you are not familiar with using FTP to connect to your server (or at least a File Manager like the one on the cPanel) and, even more importantly, if you’re not familiar with phpMyAdmin, I strongly advise against following the instructions below. In that case, I would suggest submitting a Pharma Hacked Fix Request through our Malware Removal Service.

Removing WordPress-hacked files

I won’t lie—this is a boring job, but somebody’s got to do it. You need to check the plugin and theme directories for suspicious files. I hope you are not one of those site owners who have a plugin for EVERYTHING and keep 12 inactive themes, just in case. If you are that person, you’ve got yourself hours, no, days of digging through the files.

Below, we’ll show an example of inspecting and removing hacked files. You should repeat the process for all of your WordPress site core files, themes, and plugins.

Connecting to your hosting server

You must connect to your hosting server through FTP or login to cPanel and use the File Manager (which I will use in the examples below).

After you are connected, you will need to make sure that the option ‘Show hidden files’ is checked:

Let’s navigate to the Akismet plugin directory: ‘wp-content’ -> ‘plugins’ -> ‘Akismet’.

Finding the rogue hacked and malware files

The first thing you should look out for is the naming conventions. The hack files will usually have a pseudo-extension in the middle (like .class, .cache, .old) to mimic the genuine plugin files.

Also, a dot in front of the filename (like ‘.htaccess’) will hide the file unless the option ‘Show hidden files’ is enabled. This is always a cause for suspicion.

To confirm, the content of these files should look something like this:


< ? php $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb
='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j
oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY...


If you are not sure whether the file is a genuine part of the plugin, you can download the fresh version from WordPress.org and compare the contents of the plugin directory on your server with the fresh install.

The .htaccess file

The .htaccess file would also be a good place to check. This is an example of the code that should not be there:

RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] #checks for Google, Yahoo, msn, aol and bing crawler
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ somehackfile.php?$1 [L] #redirects to a hack file


If you see code like this, it is best to remove it. Of course, you should save a backup of the .htaccess file just in case. If you need to recreate the file, go to your WordPress dashboard, then go to ‘Settings’ -> ‘Permalinks’ and click save (you don’t have to change the permalink structure). The .htaccess file will be regenerated.

Scan for file content differences.

This might be too much to do with some plugins with many files (like JetPack), so you can also use the Exploit Scanner or a similar security plugin to check for file changes. The Exploit Scanner WordPress plugin will search all WordPress core files, 3rd party themes, and plugins distributed through WordPress’s official repository, as well as your database’s posts and comments tables, for suspicious entries and unusual filenames.  The downside is that the Exploit Scanner plugin generates a lot of false positives, so you must check every single result it outputs. It won’t work with premium or custom plugins.

After figuring out which files are hacked and distribute malware, you should delete them immediately. If you have found a hacked plugin with a large number of files, it is probably more efficient to delete the whole plugin and just reinstall it from scratch. Most of the time, plugin options and settings are stored in your site database, so restoring the default plugin files won’t harm you.

Once you remove all of your hacked WordPress files, the Pharma Hack symptoms should disappear, and the search results for your site will return to normal after a few days(Google needs to re-crawl your site to verify that it’s clean). However, this does not end the clean-up process, as you will still have to deal with the leftover code in the database.

Keep in mind that if any hack files are left behind, the Pharma Hack will eventually reinfect your WordPress site. That said, let’s move on to the database cleanup.

Removing malicious code from the WordPress database

All of the instructions below involve database manipulation. Therefore, it is important to create a backup of your database (if you haven’t already done so)
and follow instructions closely, as any improvisation might lead to crashing your site.

Again, if you are uncomfortable making edits through phpMyAdmin, it is a good idea to hire a professional or try our malware removal service.

Log in to phpMyAdmin

If you are using a hosting package with cPanel, then this is an easy step. You just need to click the ‘phpMyAdmin’ icon:

Otherwise, you will need a phpMyAdmin login URL, username and password. Your hosting provider should be able to help you with this.

Selecting the correct database

Once you are logged in, you will need to select the correct database to ensure you are making changes in the right place.

You can check your wp-config.php file and search for the database name if you have multiple MySQL databases. It will be in the following line of code – define('DB_NAME', 'yourdatabasename');

Searching for malicious code

Now that you’ve selected the right database, you must navigate to the ‘wp_options’ table (the table prefix may be different depending on how it was first set once you installed your WordPress website). There should be a list of WordPress tables on the left side of the screen (you can either click that entry or on the ‘browse’ button on the list in the middle):

After you select the wp_options table, you must use the Search tab at the top of the page to search for malicious database entries.

The entries you will need to search for by entering them into the ‘option_name’ field are as follows:

• wp_check_hash
• class_generic_support
• widget_generic_support
• ftp_credentials
• fwp
• rss_%
  Attention! In this case, you should delete all matches except rss_language, rss_use_excerpt, and rss_excerpt_length (these are legit WordPress database entries).

Do not delete important information from the wp_options table, as doing so could produce errors or even crash your WordPress site.

How to verify your WP site is clean

Repeat the Google search using the same search operators

After you remove the WordPress hacked files from your site, the search results on Google should normalize. You should then repeat the Google search, using the Advanced Search operators to check if any pages still appear in the results.

Now, it wouldn’t be a surprise if some Pharma Hack results still appear. Google has been indexing your site for a while, and it might take days or weeks for the damage to be undone. This could also mean some hack files are still on the servers, so you should repeat the Pharma Hack Cleanup procedure.

Use Google Webmaster Tools

Google Webmaster Tools should be used to reindex the site after the Pharma Hack has been completely removed. The Index Status and Malware option can show you if Google is still flagging the site as infected.

How to Scan your site for Pharma Hacked entries

There are several security plugins that can determine whether or not your site has malware. As stated before, the Pharma Hack can be extremely difficult to catch, so it is completely possible that a security plugin will miss it.

There are also online services offering malware scanning for Websites.

How to force Google to re-index your Pharma Hack Free WordPress Site

Submit a new sitemap

A sitemap contains a list of all your site’s pages and posts. Submitting the sitemap might speed up the reindexing process. If you already have a sitemap, try deleting it and re-submitting it. This will also remove all pharma-related pages and URLs(if any).

Google’s Remove Outdated Content Tool

Some pages are still indexed with the Pharma Hack, so they need to be submitted for removal. Even though your WordPress site is Pharma Hack-free, some hacked pages will still appear in Google’s search results. Google now lets you ask to remove those outdated pages through the Remove Outdated Content tool. If that’s the case, copy the URL as shown in Google Search Results, paste it inside the tool, and ask for removal.

How to secure the site for any future hacking attacks

Every successful (or unsuccessful) hacking attempt starts by exploiting the site’s weaknesses. Most often, malware infection is possible because of outdated or obsolete software, like outdated WordPress core, themes and plugins. Regular updates are an important step in increasing your site security.

After removing the malware, you might want to change FTP credentials, remove unknown users and limit the user privileges. Implementing a security plugin and monitoring your site is also a good idea.

We suggest you read our detailed article on How to Protect a WordPress site from being Hacked, it’s a long one but we’re certain it will help you secure your WordPress website from hacks like Pharma and Malware Redirects.

Repeat the Pharma Cleanup for all your WordPress sites.

If you’re hosting more than one WordPress site under the same hacking account, you MUST clean all the sites, or they will be hacked repeatedly. We commonly receive Hacked Fix Requests for a WordPress site only to find there 2 or more sites under the same hosting account. In this case, we suggest that our clients let us clean them all, or else we would prefer to drop the request because we can’t guarantee that their site request will stay clean shortly.

Final Thoughts

The Pharma Hack has been around for a long time and is always evolving. Removing it is always difficult and time-consuming, especially if the reinfection occurs. The steps for diagnosing and fixing the hack provided in this article should help you efficiently battle this problem and reduce the chances of it reoccurring. However, if you are unsure that you have succeeded in removing the Pharma Hack and securing your site against future hacking attempts, you might opt for our WordPress Support and Maintenance Services. It may be an additional cost now, but it can save you money in the long run.

If your WordPress site has been infected with the Japanese Hack, we suggest looking at our How To Identify And Fix The Japanese Keyword Hack guide.

Photo by JOSHUA COLEMAN on Unsplash