What is the WordPress Pharma Hack & How to fix it

How to Find & Fix a WordPress Pharma Hack

What is the WordPress Pharma Hack

The infamous, notorious WordPress Pharma Hack is known for killing your website’s traffic and SEO for the longer term. The reason the bad-guys resort to this style of hijacking traffic is because mostly these medicines are not suitable for general audience, are illegal or banned and there’s no legitimate way to advertise or promote their own website.

Table of Contents

  1. What is the WordPress Pharma Hack
  2. What are the signs of WordPress Pharma Hack
  3. Diagnosing the WordPress Pharma Hack
  4. Cleaning up the WordPress Pharma Hack
  5. Gotchas and Final Thoughts
    1. See Also:

What is the WordPress Pharma Hack

The term gets it’s name from pharmaceuticals / pharmacy. Most of these mails which have any mention of these meds land up in spam. However in case of a WordPress website, the malicious code actually injects the names and URLs of these meds into the WordPress content. As a result the search engines start ranking your website for these drugs. Your visitors may or may not see the injected content, so it can be a while till you notice the loss. The website also ends up into multiple blacklists which causes long-term issues with SEO, email delivery etc.

In the Pharma Hack the infected site would tend to feature pharma ads and content.

What are the signs of WordPress Pharma Hack

  • You search for your site in Google or other search engines and the results show content / headings containing pharmaceutical.
  • You see strange pages with such content on your website (these pages previous being non-existent).
  • You notice malware warnings in Google Search Console / Bing Webmaster Tools.

Diagnosing the WordPress Pharma Hack

diagnosing WordPress pharma hack

The WordPress Pharma Hack comes in several variants. Some show the malicious content, others redirect and yet others only hijack the mobile traffic. Some variants hijack via .htaccess, others via .php files and yet others via injecting the malicious payload directly into the WordPress database.

One thing that needs special mention is that we have seen WordPress Pharma Hacks that have thousands of injections. for example, injecting rogue URLs into every post_meta or post_content.

Such a huge number of infections will be a pain to clean unless you do some level of automation / scripting. Please see Removing Malware from Large Database Dumps.

In order to definitively and conclusively diagnose the WordPress Pharma Hack, it will be slow and tedious to go hunting after a large number of files or digging through the database. The smart thing to do is use any plugin (preferably use our free plugin) which will comprehensively scan the WordPress database as well as the files and list out specifically the malicious code it found and the associated database entries and / or the infected files.

scan WordPress site for pharma hack

Run complete website scan to find vulnerabilities on your website

Cleaning up the WordPress Pharma Hack

There are a few things to do during the pharma hack cleanup:

  1. Create a backup.
  2. Download the backup to your desktop (you never know what your are going to delete and the backup is the last thing you want to delete).
  3. Run the scan and cleanup, the plugin will list out the specific database entries and the files requiring action.
  4. Once the cleanup is done, you want to clear the website cache. This is too easy to miss and can continue to dodge fresh reindexing from search engines.
  5. Submit your site for reindexing.

Gotchas and Final Thoughts

So you’ve cleaned up your website, asked the search engines for reindexing but what now?

  1. It’s critical to monitor the site for any occurances of reinfection. If your site is reinfected frequently, subsequent reindexing will be slow (search engines are smart to notice frequent reindexing requests).
  2. Do a root-cause analysis so that this doesn’t happen again. Else you’ll just end up performing a lot of rework needlessly and endlessly.
  3. Update WordPress, plugins and themes.
  4. Look at cron jobs. Cron jobs are (mostly) recurring, scheduled tasks set to run periodically. A malicious cron task will continue to reinject the malware despite all cleanups. If you have access to WP CLI, you can run wp cron event list or use a plugin like WP Crontrol or Advanced Cron Manager – debug & control

Pharma Hack can be tricky to clean. It can be a challenge with a high learning-curve to implement such a clean-up especially if the number of infections is high. But do not hesitate to contact us in case you need a hand before you throw in the towel and trash the site. It’s totally possible to recover from the WordPress Pharma Hack as we’ve done for a lot of our clients in the past.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.

Need help with restoring your hacked site?

Our dedicated incident response team, state-of-the-art technology, and excellent customer service makes sure that your website is 100% clean and secure.

Request Malware Cleanup →