The WordPress Pharma Hack

I’ve been called in a couple of times recently by clients to fix hacked sites.  What makes it worse is that they were victims of a very pernicious attack know as the Pharma Hack.

I want to make you aware of this hack and give you tools to find if you are a victim and how to fix it.

What Is The Pharma Hack

When your site is infected with this hack, you will be inadvertently giving links to Pharma sites selling Viagra and Cialis and other disco drugs.  Not the most professional thing for people to see in Google linked to your site.

The hack is a black hat SEO attack, these people are trying to increase links to their site for the keywords viagra, cialis et al.

Your post descriptions in Google will contain references to drugs rather the the real title you set for you post.

Why Is It So Tricky

It cloaks itself from the site owner very carefully, unless you regularly check your site’s index on google you will not see the  effect of this hack, to the site owner it looks very much like business as usual.

It searches for your most high ranking pages and only links from them.  It selectively decides which pages to infect, why bother with low ranking posts!!

It has many layers and if one is compromised, the others enable the “hack owners ” to re-actiave the scripts on your site.   It infects the following layers

  • WordPress core files
  • Plugins
  • Uplaods direcotry
  • Databse wp-options table

This is cunning coding, if these people put this type of skill into useful projects they would make a million.

Identifying If You’ve Been Attacked

The quickest way is to run a check on your site to see if you have been infected,  is to check on your site’s index in Google.  Run the following search in Google:

site:{yourdomain.com} viagra

If you see unusual meta descriptions in Google linked to legitimate blog posts then you have probably been hacked.

What Can You Do?

There is a very detailed fix supplied by Securi.net, but in essence you need t:

  • Clean up WordPress
  • Clean up your plugins
  • Clean up your uploads directory
  • Edit your database to remove rogue entries

All of this is pretty technical stuff, you need to understand how WordPress works at a pretty low level to fix this, miss just one infected component and your site will be re-infected.

UPDATE: Dec 2011

I’ve written a follow up post on cleaning up your index in Google after the hack Refreshing The Google Index After Pharma Hack

Need More Help Fixing Your Hacked Site?

I’ve create a WordPress Hack Recovery Course

Image by mightyohm

9 Responses to “The WordPress Pharma Hack”

  1. Teri Ryan January 27, 2011 at 3:48 pm #

    Thanks for the head’s up Neil. As always, so appreciate your timely info and updates. If we’re hacked, we’ll contact you!

  2. Denise January 27, 2011 at 4:25 pm #

    Hi Neil,

    Thank you so much for the info about the Pharma Hackers. I believe you nailed it regarding my site. I would like to know more about how you might help me. Trying to fix this myself is most likely beyond my abilities.

    P.S.: I tried to go in and change my password so you could work on my site and I kept getting the fatal error message.

    I am very frustrated & slighted by these hackers. My site is so small why would they bother?
    I look forward to hearing from you.

    Best regards,
    denise Hoopes

  3. Scott January 27, 2011 at 5:35 pm #

    Great advice Neil. Thanks!

    It’s important to remove the brackets from your domain name when doing the search. Otherwise it comes up “nothing found” and you might think your site is ok when it’s not.

    • Neil Matthews January 27, 2011 at 5:37 pm #

      Good point scott, for example the search for wpdude.com would be

      site:wpdude.com viagra

  4. Michael Max January 29, 2011 at 5:40 pm #

    Neil
    As ever you are the WP Master.
    thanks for the heads up on this issue. You are right, if those guys would spend half as much doing something creative and worthwhile, they would make a ton of money AND not have to burn a few lifetimes of karma away in SPAMMER HELL!

  5. Denise January 31, 2011 at 9:15 pm #

    Michael,

    I second & third your comment. I have heard that SPAMMER HELL is constantly expanding to make more room these days, as the no vacancy sign keeps getting in the way of “their” business. Ahh destiny, I’m glad I’m in control of mine. Good Point & Reminder.

  6. Rogelio Sorola February 2, 2011 at 5:40 pm #

    Hello there, I discovered your blog through Google although looking for initial help for a coronary heart attack as well as your post
    looks very interesting for me.

  7. Cesar January 23, 2012 at 10:01 pm #

    Good afternoon.

    I have my site affected me know if you can help me, until I could not fix the problem.

    Please inform me via e-mail instructions and the cost of their service.

    Thank you.

Trackbacks/Pingbacks

  1. Tweets that mention The WordPress Pharma Hack | WP Dude -- Topsy.com - January 27, 2011

    […] This post was mentioned on Twitter by Neil Matthews, Joe Burton. Joe Burton said: internetcrimes.net The WordPress Pharma Hack | WP Dude http://bit.ly/dUJBO3 computer forensics […]