The WordPress Pharma Hack

The WordPress Pharma Hack

I’ve been called in a couple of times recently by clients to fix hacked sites.  What makes it worse is that they were victims of a very pernicious attack know as the Pharma Hack.

I want to make you aware of this hack and give you tools to find if you are a victim and how to fix it.

What Is The Pharma Hack

When your site is infected with this hack, you will be inadvertently giving links to Pharma sites selling Viagra and Cialis and other disco drugs.  Not the most professional thing for people to see in Google linked to your site.

The hack is a black hat SEO attack, these people are trying to increase links to their site for the keywords viagra, cialis et al.

Your post descriptions in Google will contain references to drugs rather the the real title you set for you post.

Why Is It So Tricky

It cloaks itself from the site owner very carefully, unless you regularly check your site’s index on google you will not see the  effect of this hack, to the site owner it looks very much like business as usual.

It searches for your most high ranking pages and only links from them.  It selectively decides which pages to infect, why bother with low ranking posts!!

It has many layers and if one is compromised, the others enable the “hack owners ” to re-actiave the scripts on your site.   It infects the following layers

  • WordPress core files
  • Plugins
  • Uplaods direcotry
  • Databse wp-options table

This is cunning coding, if these people put this type of skill into useful projects they would make a million.

Identifying If You’ve Been Attacked

The quickest way is to run a check on your site to see if you have been infected,  is to check on your site’s index in Google.  Run the following search in Google:

site:{yourdomain.com} viagra

If you see unusual meta descriptions in Google linked to legitimate blog posts then you have probably been hacked.

What Can You Do?

There is a very detailed fix supplied by Securi.net, but in essence you need t:

  • Clean up WordPress
  • Clean up your plugins
  • Clean up your uploads directory
  • Edit your database to remove rogue entries

All of this is pretty technical stuff, you need to understand how WordPress works at a pretty low level to fix this, miss just one infected component and your site will be re-infected.

UPDATE: Dec 2011

I’ve written a follow up post on cleaning up your index in Google after the hack Refreshing The Google Index After Pharma Hack

Need More Help Fixing Your Hacked Site?

I’ve create a WordPress Hack Recovery Course

Image by mightyohm

Need Help With Your WordPress Site?

Get a no obligation quote for technical support for your WordPress site. Click Here And Get A Quote
  1. Teri Ryan
    January 27, 2011

    Thanks for the head’s up Neil. As always, so appreciate your timely info and updates. If we’re hacked, we’ll contact you!

  2. Denise
    January 27, 2011

    Hi Neil,

    Thank you so much for the info about the Pharma Hackers. I believe you nailed it regarding my site. I would like to know more about how you might help me. Trying to fix this myself is most likely beyond my abilities.

    P.S.: I tried to go in and change my password so you could work on my site and I kept getting the fatal error message.

    I am very frustrated & slighted by these hackers. My site is so small why would they bother?
    I look forward to hearing from you.

    Best regards,
    denise Hoopes

  3. Scott
    January 27, 2011

    Great advice Neil. Thanks!

    It’s important to remove the brackets from your domain name when doing the search. Otherwise it comes up “nothing found” and you might think your site is ok when it’s not.

    • Neil Matthews
      January 27, 2011

      Good point scott, for example the search for wpdude.com would be

      site:wpdude.com viagra

  4. Pingback: Tweets that mention The WordPress Pharma Hack | WP Dude -- Topsy.com

  5. Michael Max
    January 29, 2011

    Neil
    As ever you are the WP Master.
    thanks for the heads up on this issue. You are right, if those guys would spend half as much doing something creative and worthwhile, they would make a ton of money AND not have to burn a few lifetimes of karma away in SPAMMER HELL!

  6. Denise
    January 31, 2011

    Michael,

    I second & third your comment. I have heard that SPAMMER HELL is constantly expanding to make more room these days, as the no vacancy sign keeps getting in the way of “their” business. Ahh destiny, I’m glad I’m in control of mine. Good Point & Reminder.

  7. Rogelio Sorola
    February 2, 2011

    Hello there, I discovered your blog through Google although looking for initial help for a coronary heart attack as well as your post
    looks very interesting for me.

  8. Cesar
    January 23, 2012

    Good afternoon.

    I have my site affected me know if you can help me, until I could not fix the problem.

    Please inform me via e-mail instructions and the cost of their service.

    Thank you.

Copyright 2017 WPDude.com