How to Find & Fix the WordPress Pharma Hack (Guide)

WordPress Pharma Hack - How to Fix & Cleanup

WordPress Pharma Hack



Is your wordpress site littered with casino pharma links?

Is your index.php files infected with malicious spam pharma hack?


Key Takeaways

  •  The WordPress Pharma Hack is a deceptive infiltration that displays spam content to search engines, affecting your site’s SEO.
  • Common Symptoms: Unexpected advertisements for pharmaceutical products, especially when viewed via search engine results.
  • Detection: Regularly monitor your website for unexpected changes, especially in content and SEO rankings.
  • Prevention: Always keep your WordPress core, themes, and plugins updated. Use reliable security plugins and regularly scan for vulnerabilities.
  • Removal:
    • Database Cleanup: Search for suspicious content in the WordPress database, especially in posts and comments.
    • Files Inspection: Check the core files, themes, and plugins for any malicious injections or unfamiliar code.
    • User Roles: Ensure no unauthorized WordPress users or suspicious admin roles.
  • Post-Hack Actions: Change all passwords, ensure proper file permissions, and consider using a website firewall.
  • While exact numbers vary, many WordPress sites are vulnerable to such hacks due to outdated plugins or themes. Regular maintenance and monitoring can prevent a majority of these infiltrations.

Pharma hack has evolved a lot in 2024 and so the steps to fix it.

Recently, a variant known as the “casino pharma hack” has emerged, combining elements of both casino and pharmaceutical spam, further complicating the threat landscape. Understanding these evolving threats is crucial for implementing effective security measures to protect your website’s integrity and maintain its search engine visibility. This black hat seo exploit was destroying their SEO rankings by targeting the Google SERPs, due to which their website was blacklisted by Google and started showing  ““This Site May Be Hacked” message in Google.

In this article you will learn more about What is WordPress pharma hack? & how to find and remove Pharma Hack from wordpress site by cleaning up the database and infected files. 

What is A Pharma Hack?

The WordPress Pharma Hack, also known as the “Google Viagra Hack,” is a malicious attack targeting WordPress websites. Attackers exploit vulnerabilities to inject spammy content or links promoting pharmaceutical products like Viagra or Cialis into your site’s pages and search engine results. This not only damages your website’s reputation but also adversely affects its search engine rankings. Recently, a variant known as the “casino pharma hack” has emerged, combining elements of both casino and pharmaceutical spam, further complicating the threat landscape. Understanding these evolving threats is crucial for implementing effective security measures to protect your website’s integrity and maintain its search engine visibility. In 2024, we have seen increased instances of this kind of hack on WordPress sites as compared to 2023.

This web exploit is categorised under blackhat SEO spam and is mostly targeted towards small business websites. Other hacks which come under same category includes: Gibberish Keywords HackJapanese Keywords Spam & WordPress malware redirect.

The below is a cached version of an infected page.

Pharma Hack spam on wordpress website

Google SERP results produced by a pharma hack example:

spam-serps-pharma-wordpress

scan wordpress to find pharma hack

In a recent incident, a WordPress site was compromised by a self-replicating malware that generated spam doorway pages. The malicious file, wp-page.php, was identified and deleted. However, upon reloading the site, the spam content persisted, indicating the file had regenerated. This behavior is characteristic of malware employing cron jobs to reinfect sites. Interestingly, no suspicious cron jobs were found in the user’s crontab.

Further investigation uncovered a malicious nav.php file within the active theme directory. This file was responsible for recreating wp-page.php and injecting its links into legitimate site pages when accessed by search engine crawlers like Googlebot or Bingbot. The nav.php file was included in the theme’s header.php, ensuring its execution with every page load. Removing both nav.php and its reference in header.php effectively eliminated the spam content from the site.

...$movedb = user_min_browser($_SERVER['HTTP_USER_AGENT']);$movedb2 = 'moved';if ($movedb == $movedb2){ echo '<ul>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'</a></li>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'</a></li>';...echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'</a></li>';echo '</ul>';}

Upon discovering the persistent regeneration of the malicious wp-page.php file, a deeper investigation was initiated to identify the underlying cause. It was found that the nav.php file, not originally part of the theme, was being executed through a deliberate inclusion in the header.php file. The following line of code was inserted into header.php:

This inclusion ensured that nav.php was executed each time a public page was loaded, facilitating the reinjection of spam content and the recreation of wp-page.php. This method acted as a “delete protection” mechanism, allowing the malware to persist despite removal attempts.

This incident underscores the necessity for comprehensive security measures beyond superficial scans. Website owners must conduct thorough inspections to detect and eliminate hidden threats such as unauthorized file inclusions, backdoors, and other vulnerabilities.

⭐ Diagnosing SEO Pharma Hack

How to Diagnose wordpress pharma hack

Purpose Of Google Pharma Hack

Due to strict regulations, many pharmaceutical products like Viagra, Nexium, and Cialis cannot be promoted through conventional online advertising channels. To circumvent these restrictions, malicious actors exploit high-ranking websites by injecting spammy links and content related to these products. Their goal is to leverage the authority and visibility of compromised sites to promote their offerings illicitly.

Detection Challenges

Detecting the Pharma Hack can be challenging because:

  • Invisible to Users: The injected spam content is not visible on the website itself; it appears only in search engine results.
  • Cloaking Techniques: Hackers use cloaking methods to show different content to search engines than to regular visitors, making manual detection difficult.
  • Targeted High-Ranking Pages: The hack often focuses on the site’s most authoritative pages, which may not be regularly monitored.

How To Check If Your Site Is Hacked?

Wondering about How To Tell If Your Site is Hacked with The Pharma Hack, Well, this is one of the most important step of removing pharma hack spam from your WordPress website. Go through the below mentioned ways in order to identify the infection.

1. Use a scanner

  • Utilize security plugins or online tools designed to detect malware and unauthorized code injections.
  • Regular scans can help identify and alert you to potential compromises.

You can use free malware scanners for scanning your website. We have also developed our own tool specifically for this purpose.

wordpress scanner

User-Agent Emulation:

  • Install a browser extension that allows you to change your User-Agent to mimic search engine crawlers like Googlebot.
  • Visit your site’s pages with this User-Agent to see if spam content appears.
  • This method helps reveal cloaked content that is hidden from regular users.

We recommend the User-Agent Switcher tool .

For Chrome: https://chrome.google.com/webstore/detail/user-agent-switcher/dbclpoekepcmadpkeaelmhiheolhjflj?hl=en

For Firefox :https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

Now retrieve one or more of the pages of your site and look for anything ‘different’ or out of place.If nothing is immediately apparent – view the source of your pages.

screenshot-pharma-hack-source-code

Usually this option is available by right clicking in the page and selecting ‘View source’ from the context sensitive popup menu. If the option isn’t there – try right clicking on a different (empty) part of the page.

In particular check the following areas of the page’s
– check the text between the two tags – look for any words that don’t belong
– look at the text between the quotes following the content= part of the meta description text
By now you have either found something or you haven’t.

One final check is to search this html source code for a select few words that should not ordinarily be found within the page.

  • For pharma hack, search for words such as: Viagra, Cialis or Regalis

Use Webmaster Tools

You can use the ‘Fetch as Googlebot’ option within Google Webmaster Tools. Check the output code after the page is fetched and rendered.

Search Console - Fetch as Google

Google Search Test:

  • Use Google’s advanced search operators to check for spammy content associated with your site.
  • Search for terms like site:yourdomain.com viagra or inurl:yourdomain.com cialis.
  • If you find unexpected pharmaceutical-related results, your site may be compromised.
site:yourdomain.com (viagra|cialis|regalis|payday|blackjack|holdem|porn)

find-pharma-spam-using-google-search-operators

Why Is It Hard To Remove Pharma Hack?

In a pharma hack, the backdoors keep regenerating every time we remove them. Therefore, If the backdoors are regenerating, this might be due to malware that uses cron jobs to reinfect sites, so check the user’s crontab.

If you don’t find any cron job there,the hacker must have injected a backdoor which is leading to the recreation of infection on the website. To Identify the Regenerating Script check out if the file content was adding wp-page.php to legitimate site pages whenever a request was made by Googlebot or Bingbot.

Adding wp-page.php based on Googlebot and Bingbot user-agents

Appending wp-page.php to legitimate requests isn’t the real problem;  the actual problem is the regeneration of the file. For those unfamiliar with how themes work, if any include is added in the header file, it keeps loading the wp-page.php file every time the theme will be loaded by the visitors.

The hacker injected this line into header.php to make the malicious code execute every time a public website page was requested. This is mainly done to send the spam to search engine crawlers, but it also recreates the wp-page.php as a “delete protection” feature.

⭐ How does Pharma hack works?

Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database. The files in the plugins folder contain code that runs the encrypted code stored in the database. Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.

Typically, hack files contain easily-identifiable PHP functions like eval() and base64_decode(), and although the pharma hack is no exception, there’s one major difference. With the pharma hack, these functions are stored in the WordPress database as strings, and they’re encoded backwards! At runtime, a hack file in the plugins folder pulls these strings from the database, flips ’em, and then runs ’em as functions, and that’s how the deed gets done.

  Also ReadHow To Fix eval(base64_decode()) Php Hack in WordPress [Guide]

Most of the time, malicious content ( in the form of code) is encoded to look like legitimate WordPress files and are injected to the plugin folder.If there are any files other than the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.

The malicious code sends Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.

The pharma hack has various undetectable WordPress backdoors that let the hacker regain the access to your website:

  • Backdoor that allows the attackers to insert files.
  • Backdoor inside one (or more) plugins to insert the spam.
  • Backdoor inside the database used by the plugins.

If you fix one of the three, but forget about the rest, you’ll most likely be reinfected and the spam will continue to be indexed.

 Also ReadWordPress Brute Force Attack Prevention

  • Backdoor Inserted into Files

Generally, attackers hunt for vulnerable WordPress installations i.e sites using an old version of WordPress, vulnerable plugins, and themes, security loopholes or hosting multiple websites on the same account using free wordpress scanners. This leads to the very first step to inject the backdoors into a compromised site.

When the backdoor is added, it is not immediately executed. Sometimes it stays for months without even getting called. The common places for these backdoors are:

wp-content/uploads/.*php (random PHP name file)
 wp-includes/images/smilies/icon_smile_old.php.xl
 wp-includes/wp-db-class.php
 wp-includes/images/wp-img.php

???? Also ReadHow to Scan Malware in WordPress Themes

In the pharma attack, these files have backdoor in the form of following piece of code:

< ? php $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb
 ='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j
 oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY... (long long string)..

However,  it is still calling eval(base64_decode but it is using variables that makes it hard to detect. In fact, none of the WordPress security plugins are able to find it. Therefore, look for such a string in your WordPress folders:

php $[a-zA-Z]*=’as’; 

If you do an inspection of the code, you will see that it scans for the wp-config.php file and gets the database information. Hence, it will act as a remote shell and retrieves a lot of information about the system. That’s the first thing you have to remove before you do anything else.

If you don’t, you may allow hackers to reinfect your site via a backdoor or unpatched security hole. Reinfection may happen within seconds or it may take days before the malware returns, causing another stressful situation.

As always, we recommend you to update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure, it’s when you’re running old versions and out of date plugins/themes that run into trouble.

???? Also ReadHow to Backup WordPress Database Manually?

For WordPress site owners, there are several reliable free WordPress security plugins that monitor the integrity of core files and theme files. But if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, know that we’re here to help.☎️

  • Backdoor Inside Plugins or themes

Now the next step of the attack is targeting compromised plugins and themes, that’s why WordPress Theme Security is very much important.. After successfully creating a backdoor into the system, a file will be created inside one of the existing plugins. Example:

akismet/wp-akismet.php
 akismet/db-akismet.php
 wp-pagenavi/db-pagenavi.php
 wp-pagenavi/class-pagenavi.php
 podpress/ext-podpess.php
 tweetmeme/ext-tweetmeme.php
 excerpt-editor/db-editor.php
 akismet/.akismet.cache.php
 akismet/.akismet.bak.php
 tweetmeme/.tweetmem.old.php

They will target one or more old plugins using names like

wp-[plugin].php, 
db-[plugin].php, 
ext-[plugin].php, etc. 

Look for for any plugin file with the wp_class_support string on it.

$ grep -r "wp_class_support" ./wp-content/plugins

Make sure you remove all those files and if required, remove all such plugins. To be 100% sure your plugins are clean, I would recommend removing all of them and reinstall again. (not possible for all sites, but this is probably the most secure way of doing it). Always keep them updated. ???? Also Read – WordPress .htaccess hacked – Cleanup & Prevention

  • Backdoor Inside the Database

This is the last step, and equally important. This is where the spam itself is hidden. They have been using the wp_options table with these names in the option_name:

 wp-options -> class_generic_support
 wp-options -> widget_generic_support
 wp-options -> wp_check_hash
 wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf
 wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea
 wp-options -> rss_552afe0001e673901a9f2caebdd3141d

So, you need to clean these SQL queries from your database:

delete from wp_options where option_name = 'class_generic_support';
 delete from wp_options where option_name = 'widget_generic_support';
 delete from wp_options where option_name = 'fwp';
 delete from wp_options where option_name = 'wp_check_hash';
 delete from wp_options where option_name = 'ftp_credentials';
 delete from wp_options where option_name = 'rss_7988287cd8f4f531c6b94fbdbc4e1caf';
 delete from wp_options where option_name = 'rss_d77ee8bfba87fa91cd91469a5ba5abea';
 delete from wp_options where option_name = 'rss_552afe0001e673901a9f2caebdd3141d';

⭐ How To Remove Pharma Hack From WordPress site?

Fix WordPress Pharma Hack

Go through the steps given below in order to cleanse your site and ‘Remove pharma hack spam from wordpress website’.

There are two ways to clean pharma hack files from your WordPress website:

  1. Manual Clean Up
    • Removing File from the Plugin Directory
    • Removing Database Entries.
  2. Security Service

Manual Cleanup:

While manually cleaning files, you are making changes to your WordPress files. Unless you are a skilled developer, we’d  urge you don’t choose manual removal of this hack. But if you have an experience with handling WordPress files and database, follow this procedure:

The manual WordPress pharma hack cleanup include two basic steps:

  1. Removing File from the Plugin Directory
  2. Removing Database Entries.

Removing File from the Plugin Directory:

Firstly login to your web host and go to a page called cPanel. There you should find an option for File Manager. Select the File Manager.

 wordpress-pharma-hack-fix

  1. You should find a folder called public_html on the left side of the File Manager. When you select this folder, a dropdown will open with three main files of your WordPress:
  • Wp-admin
  • Wp-content
  • Wp-includes

pharma-hack-public_html

  1. Among these three files, choose wp-content. On selecting iw will display a dropdown list of internal files. Here you will find the plugins folder.,

wordpress-pharma-hack-plugin

This folder includes files of all the plugins installed in your WordPress site. The reason we recommend this particular folder to start with is because the plugins are the outdated plugins are the easiest targets to inject compromised files and thus hack a website.

  1. To identify malicious files, check out the default files present in each plugin so that you can easily identify the suspicious files. To know the default files, go to the cPanel. Click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files.’
  1. If you find any file that is not a default file, delete those malicious files. With this we complete the first step. Now, let’s move to the second step.

Removing The Entries From Database:

Now, again go back to the cPanel. There you should find an option for phpMyAdmin. Open that folder.

 fixing-wordpress-pharma-hack-remove-database-entries

In the database, select the wp_options table. It will allow you to browse through the table content. In the wp_options table, you’ll need to search for the following database entries:

class_generic_support 
 wp_check_hash 
 ftp_credentials 
 widget_generic_support 
 fwp 
 rss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language) 

Delete all those entries using this piece of code. And that’s it. Your site is now hack free. Before this, make sure you have taken full WordPress database backup and must know how to export WordPress database.

Take Expert Help

If you are unaware of how to handles wordpress files, using a security service is ideal. At Wp Hacked help you’d have to raise a ticket to clean your hacker site. Wp Hacked help is one of the best WordPress security services in the market that allows you to clean your site at the click of a button. Therefore, if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, just write to us.

⭐Post Clean Up Steps:

Never skip these post pharma hack cleanup steps in order to  reduce the risk of a reinfection and ensure that your website remains clean:

  • Enable the website Firewall – WAF:

Enabling a valuable network security measure places a set of rules on incoming and outgoing traffic in order to protect networks, servers, websites, and individual computers. This website firewall acts as a wall between a trusted source (say, the server your WordPress website is hosted on) and an untrusted source (the internet) in which only trusted data is allowed entry.

Virtual Hardening & WAF ????️ How Does It Hardens WordPress?

  • Keep Updating Your Website:

If you are using WordPress, keep updating it to the latest version. Why? Because out-of-date software is the leading cause of infections. This also includes your plugins, themes, and any other extension type.

  • Change your passwords:

It is prudent to change the passwords related to your website: FTP, SFTP, cPanel, Plesk, WP-admin, etc. They could have been compromised and we do not want you to be reinfected because the attackers can still come back in through them.  We recommend that you use a Password Manager, so you do not have to remember them all in your head.

How To Change Your Default WordPress Username password?

  • Update your database password:

Also, update the password of your database. Keep a strong, unique and hard-to-guess password. Make sure you don’t use your name, spouse name or date of birth as the password for an integral part of your website. If you’re not familiar with handling changes in your database and configuration files, read our article.

  • Run an antivirus on your system:

In a lot of cases, we see that websites are compromised due to desktop malware that steals credentials. It’s why we always ask you take a minute to run an antivirus product.

How To Remove Malware From WordPress Site

  • Backup Your Visit:

After the site is clean and secure, a very good practice is to do regular backups. It reduces the chances of damage or risk of data loss to your website. Make sure to go through this WordPress site maintenance checklist to ensure smooth sailing.

For the most part, WordPress has been pretty solid in the security department. Security flaws are almost inevitable, but they’re usually caught early in the development stage. The fact is that when a malicious actor wants to infiltrate your website and he’s good enough at his craft, he’s probably going to succeed.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)