How to Fix the WordPress Pharma Hack

Did you search for your WordPress website on Google and found a bizarre pharma title appended to it in the search results? Yes? Then your WordPress website is a victim of the WordPress Pharma Hack!

Over 40% of all sites available on the Internet run on WordPress CMS. Its popularity has attracted many hackers and SEO spammers to earn profit from genuine and well-established websites that have good traffic and search engine presence.

Hackers use different malicious approaches to attack a WP site, leading to monetary and trust issues for your business and its growth. The results of such attacks can also lead to a sudden decrease in the number of website visitors, or the search engines displaying warnings before accessing your WordPress website.

To understand what this hack is all about and how you can get rid of it, this article will help you with all your queries. So, let’s dig in!

What is the WordPress Pharma Hack?

The WordPress Pharma Hack sometimes referred to as the Google Viagra Hack, is a black hat SEO spam technique, where hackers use a genuine website to sell illegal and banned medicines or drugs to the public.

Whenever a WordPress site is infected with a pharma hack, it displays pharma ads and content for selling drugs like Viagra, Nexium, Cialis, etc. The text and images as a result of such a hacking attempt are not always easily visible to the site owner or other users. They are disguised very cleverly such that going to the website and having a quick scroll through will not show anything suspicious. However, checking your site on the Google (or other) search engines will show different (pharma) text or headings for the legit site.

How Does the Pharma Hack Work?

Pharma hacks mainly target vulnerable WordPress sites (the ones which lack recent updates, have misconfigured or neglected WordPress security, and flaws in coding, etc). Then, they use blackhat SEO techniques to advertise their content on illegal medication. As a result, they are able to use other websites’ keyword rankings to drive traffic to their own.

The code for such hacks is usually hidden within the CSS files of the site and possibly in the frontend. Such attempts ensure that you are not able to view such additions on the HTML. However, search engines use crawlers to scan for malicious code, which, if found, will lower your search engine ranking and get your site blacklisted.

The difficulties arise from finding out the malicious code that makes the pharma hack active on your WordPress site. To know you’ve been hacked, looking up your site on a search engine like Google should suffice. Finding out the problematic code is a bit more difficult, since manually going through everything may not work if you’re not a professional.

Why Do Hackers Infect WordPress Sites?

If you are wondering why do hackers target WordPress sites, there are few reasons and any of them can be a real one:

• To sell or promote drugs or illegal medications
• To redirect a legit site to malicious links
• To use your website for hosting phishing pages

Your site has a good Domain Authority (DA) and low Spam Score accordingly, the objective is to take advantage of it to trick Google’s PageRank system to promote the hacker’s malicious site that is selling illegal drugs. The better the DA is, the better the hacker’s site will have all the earmarks of being in Google’s eyes.

How Pharma Hack Affects Your WordPress Site?

The result of a hacked WordPress site with the Pharma hack can land nightmares for website owners. Here are some implications you may experience if your WordPress site is infected with this hack:

• Your website gets blacklisted by Google and displays an alert message in search results for all visitors.
• The PageRank of the site gets affected and if you don’t clean your site for a long period then the spam score for your website will be increased and the entire site will be treated as a spammy site by Google.
• In some cases, Google can also ban your website from displaying in search results – but don’t worry this happens in extreme cases.

All of these implications require double the efforts to get back to where you stood. So, here’s a couple of things you can do to resolve the pharma hack.

How to Fix the WordPress Pharma Hack?

The best part for the hackers about this hack is that it is not easily discoverable and hence can stay on your website for a long time. There could be a chance that you do not see any symptoms of the WordPress pharma hack, but your site may be under the control of hackers.

You need to scan the code, figure out the vulnerabilities present on your WordPress site, and restore your website. Follow these steps to do it yourself:

Step 1: Create a Backup for Your Website

It is always a good practice to create a complete backup of your WordPress website before fixing any bug or vulnerability in it. This makes it comfortable to undo the changes if something goes wrong while cleaning the website. This backup must have all the core files, plugin and theme files, and your website’s database.

Step 2: Scan the Website for Malware

Once you have backed up your data, the next step is to perform is to scan your WordPress website. There are a plethora of tools available for scanning your website, like VirusTotal for flagging the infection or Astra’s Malware Scanner for virus scanning, and so on.

All the tools are efficient enough to scan for vulnerabilities on your website. This process will mark all the suspicious files and codes in a short span of time and help you to remove the malware rapidly with convenience.

Step 3: Remove the Infected Files

Navigate to the /wp-contents/ directory after connecting to your host server via FTP or file manager and look for hacked files or plugins. These files have words like .class, .cache, .old that look similar to plugin files.

The presence of dot (.) in front of the file name makes them hidden and are not visible till you select the ‘show hidden files’ option. Remove all such hidden files.

Step 4: Clear the Temp Directory

Hackers use the temp files and folder to avoid corruption during the malware implantation on your WordPress website. The /wp-contents/temp/ directory can generate temporary files for the WordPress pharma hack; it is advised to clear this folder in case you see suspicious entries.

Step 5: Check the .htaccess File Content

The .htaccess file is a configuration file for the server that defines how server requests are processed. Attackers can use these files to hack into your website. Search for the code given below or regenerate a new .htaccess file from the WordPress dashboard.

Image via Astra Security

Step 6: Removal Malicious Code from Your DB

Again, every time you work with your website’s database, it is mandatory to take a backup. Working with the database is a sensitive step, and a backup would help you to roll back the changes if something goes wrong.

For cleaning the database manually, follow these steps:

1.   Go to your phpMyAdmin panel
2.   Select the database
3.   Click on the wp_options table
4. Search for the malicious entries that could be present in your database. Some of the common entries are:
   • wp_check_hash
   • Class_generic_ssupport
   • widget_generic_support
   • Ftp_credentials
   •   rss_%

Be cautious and do not delete any other important information from this table, as it could cause your site to crash.

WordPress Pharma Hack can take away the name, fame, rankings and revenue of your WordPress website. It is not easily detectable which makes the situation worse. However, if you protect and secure your website by implementing the required security measures such as protecting your site with a website firewall or regularly scanning your site with malware scanners can prevent such attacks. If your site is infected with a Pharma hack and you’re not comfortable with the technical procedures for cleaning it up, it is always a good option to seek professional help.