WordPress Infected with the Pharma Hack? How to Detect, Clean and Secure your site from it

What is the Pharma hack

Years ago, I’ve had a client who wanted me to remove a page from their WordPress site. A page regarding pharmacy products. I searched through the posts, pages, custom post types or anything else I could think of and I’ve spent days assuring the client that no such page or post exists on their WordPress site.

They were painfully insistent and said that they have found a page while checking the search results for their site on Google. I’ve checked the results myself and, much to my surprise found the page that they mentioned. That page was linking to another domain that was selling medication online, but the URL was from my client’s site. I thought: “Well this is probably an error on Google’s end, right?”.

Wrong! It was the Pharma Hack.


So what, exactly, is Pharma Hack? WordPress Pharma Hack is a method of spam injection. Its purpose is to redirect visitors from an otherwise legit site to pharmacy vendor sites that are selling banned drugs (like Viagra, Cialis, Nexium, etc.) or generally offering prescription drugs – without a prescription.

It is very subtle – you can think of it as a parasite that is feeding off of the highest-ranking pages on the site with the aim to gain valuable links. You and your visitors will not see it, it doesn’t cause any visible malfunction and I’ve yet to hear that such a hack caused the site to crash. It almost sounds harmless.

But that’s because it is a clever parasite – it needs a living host and doesn’t want to raise any suspicion and get noticed. Because it is so low-profile, it usually works behind the curtain for months and months before the site owners notice it and remove it. It is also very likely to come back if not removed properly. It will slowly degrade your SEO and reputation into nothing, get you blacklisted on Google and probably cost you some (or a lot) of money. Not so harmless, is it?

How can you tell if your WordPress site is infected by the Pharma Hack?

1. Use Google’s Advanced Search Operators

Since the hack is invisible to you, you must resort to one tool that will help you unmask it- the search engine. What you should do is open up Google.com and search for your domain name (just by typing in i.e. domain.com) or by using Google Advanced search operators like ‘site:yourdomain.com’,’inurl:yourdomain.com’, etc.

If you use ‘site:yourdomain.com‘ operator, Google will list all of your indexed pages. Some of the results might include Pharma Hack links like this:

If you want to be more specific, you can initiate the search using ‘inurl:yourdomain.com viagra’ (you should, of course, replace ‘yourdomain.com’ with your own domain name and you can also search for a different drug name).

In this page you can find instructions on how to use Google Advanced Search Operators.

2. Fetch the page as Googlebot

The reason why pages are only visible on search engines is that the Pharma Hack is visible only to certain user-agents, like Googlebot. This means that even if you have found a page on Google that redirects to a pharmacy vendor site, you will not be able to see the hack even when you are viewing the page source, because your browser has a different User-Agent string.

In order to view the page as it would be viewed by the Googlebot, you will need a browser Chome User-Agent Switcher or Firefox User-Agent Switcher add-on.

After you install your favourite browser User-Agent Switcher add-on, you should navigate to the page which showed as hacked on Google Search results. Then, the User-Agent string will need to be edited as following:

 

The User-Agent string will need to be changed to one of these values:

  • Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
  • Googlebot/2.1 (+http://www.googlebot.com/bot.html)
  • Googlebot/2.1 (+http://www.google.com/bot.html)

After that has been done, just view the page source and you will be able to see the redirect to a pharmacy vendor site:

 

Important: Don’t leave the User-Agent Switcher Add-on active. Since you will be imitating Googlebot, sites with proper security will notice it and block you temporarily or permanently.

How does the Pharma Hack work?

As mentioned before, you and your visitors will not notice any changes on the site whatsoever. The Pharma Hack will override the title tag and insert spam links into the page content. This modified title tag and spam links are only visible to search engines and search engine crawlers (like Googlebot). This method is called cloaking.

Where does the Pharma Hack hide its code?

Like most of the WordPress hacks, the Pharma hack is using your site core, plugin and theme files to store its malware. In this case, the Pharma Hack is also using the database for retaining persistence.

Through Malicious files in the WordPress default directories (core, plugins, themes)

The malicious files must be placed into your WordPress directory. They usually contain functions such as base64_decode() and eval(). In that sense, the Pharma Hack is no different than any other hack.

Through encrypted code in the WordPress database

What is different is that, with Pharma Hack, these functions are stored in the database as strings and encoded backwards, thereby making it a LOT more difficult to find and eliminate. When the hack file is run, it pulls the strings from the database, decodes them and runs them as functions.

For example, take a look at this:

JHBoYXJtYWhhY2sgPSAnVGhpcyBpcyBwaGFybWEgaGFjay4nOwplY2hvICRwaGFybWFoYWNrOwo=

Looks like gibberish, but when decoded with base64_decode() function, it becomes:

<?php
$pharmahack = 'This is pharma hack.';
echo $pharmahack;
?>

Of course, the code I wrote is harmless and doesn’t do anything, but any malware code might look the same, like a random string of alphanumeric characters, but actually setting up a redirect on your site that might take your next visitor to a page that offers non-prescription Propranolol.

How to remove the Pharma Hack

As mentioned before, the Pharma Hack consists of two parts, the hack files which provide backdoor access and the encrypted code in the database.

In order to properly remove the WordPress Pharma Hack, you would have to deal with both. Thoroughly. If any of the files remain on the server, reinfection is simply inevitable and you’re back to square one.

Before working on your WordPress site make sure you take a backup of both your WordPress files(core files, themes and plugins) and Database so you can restore it in case something goes south.

Tip: If you are not familiar with using FTP to connect to your server (or at least File Manager like the one on the cPanel) and even more important, if you’re not familiar with phpMyAdmin, I strongly advise against following the instructions below. In that case, I would suggest submitting a Pharma Hacked Fix Request through our Malware Removal Service.

Removing WordPress hacked files

I won’t lie – this is a boring job, but somebody’s gotta do it. What you need to do is to check the plugin and theme directories for suspicious files. I hope you are not one of those site owners that has a plugin for EVERYTHING and keeps 12 inactive themes just in case. If you are that person, you’ve got yourself hours, no, days of digging through the files.

Below we’ll show an example of inspecting and removing hacked files, you should repeat the process for all of your WordPress site core files, themes and plugins.

Connecting to your hosting server

You will need to connect to your hosting server through FTP or login to cPanel and use the File Manager (which I will be using in the examples below).

After you are connected, you will need to make sure that the option ‘Show hidden files’ is checked:

Let’s navigate to the Akismet plugin directory – go to ‘wp-content’ -> ‘plugins’ -> ‘Akismet’.

 

Finding the rogue hacked and malware files

The first thing that you should be looking out for is the naming conventions. The hack files will usually have a pseudo-extension in the middle (like .class, .cache, .old) in an attempt to mimic the genuine plugin files.

 

Also, a dot in front of the filename (like ‘.htaccess’) will hide the file unless the option ‘Show hidden files’ is enabled. This is always a cause for suspicion.

To confirm, the content of these files should look something like this:


< ? php $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb
='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j
oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY...

If you are not sure whether the file is a genuine part of the plugin, you can download the fresh version of the plugin from WordPress.org and compare the contents of the plugin directory on your server and fresh install.

The .htaccess file

The .htaccess file would also be a good place to check. This is an example of the code that should not be there:

RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] #checks for Google, Yahoo, msn, aol and bing crawler
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ somehackfile.php?$1 [L] #redirects to a hack file

If you see a code like this, it is best to just remove it. Of course, you should save a backup of the .htaccess file just in case. If you need to recreate the file, just go to your WordPress dashboard, then go to ‘Settings’ -> ‘Permalinks’ and click save (you don’t have to change the permalink structure) and the .htaccess file will be regenerated.

Scan for file content differences

This might be a little too much to do with some plugins that have a large number of files (like JetPack) so you can also use the Exploit Scanner or a similar security plugin to check for file changes. The Exploit Scanner plugin will search all WordPress core files, 3rd party themes and plugins which are distributed through WordPress’s official repository, and the posts and comments tables of your database for suspicious entries and unusual filenames.  The downside is that the Exploit Scanner plugin generates a lot of false positives so you must check every single result it outputs while it won’t work with premium plugins or custom plugins.

After you have figured out which files are hacked and distribute malware, you should delete them right away. If you have found a hacked plugin which has a large number of files, it is probably more efficient to delete the whole plugin and just reinstall it from scratch. Most of the times plugin options and settings are stored in your site database so restoring the default plugin files won’t harm you.

Once you remove all of your hacked WordPress files, the Pharma Hack symptoms should disappear and the search results for your site will return to normal again after a few days(Google needs to re-crawl your site in order to verify that it’s clean). However, this does not end the clean-up process as you will still have to deal with the leftover code in the database.

Keep in mind that if any hack files are left behind, your WordPress site will get reinfected by the Pharma Hack sooner or later. That said let’s move on to the database cleanup.

Removing malicious code from the WordPress database

All of the instructions below involve database manipulation, therefore, it is important to ψreate a backup of your database (if you haven’t already done so)
and follow instructions closely, as any improvisation might lead to crashing your site.

Again, if you are not comfortable with making edits through phpMyAdmin, it is a good idea to hire a professional or try our Malware Removal Service.

Log in to phpMyAdmin

If you are using a hosting package with cPanel, then this is an easy step. You just need to click the ‘phpMyAdmin’ icon:

 

Otherwise, you will need a phpMyAdmin login URL, username and password. Your hosting provider should be able to help you with this.

Selecting the correct database

Once you are logged in, you will need to select the correct database, to make sure you are making changes at the right place.

If you have more than one database, you can check your wp-config.php file and search for the database name. It will be in the following line of code – define('DB_NAME', 'yourdatabasename');

Searching for malicious code

Now that you’ve selected the right database, you will need to navigate to the ‘wp_options’ table (the table prefix may be a different one depending on how it was first set once you installed your WordPress website). There should be a list of WordPress tables on the left side of the screen (you can either click that entry or on the ‘browse’ button on the list in the middle):

 

After you select the wp_options table, you will need to search for the malicious database entries by using the Search tab from the top of the page.

 

The entries you will need to search for by entering them into the ‘option_name’ field are as follows:

  • wp_check_hash
  • class_generic_support
  • widget_generic_support
  • ftp_credentials
  • fwp
  • rss_%
    Attention! In this case, you should delete all matches except rss_language, rss_use_excerpt, and rss_excerpt_length (these are legit WordPress database entries).

Pay close attention not to delete important information from the wp_options table, as that could produce errors or even crash your WordPress site.

How to verify your WP site is clean

Repeat the Google search using the same search operators

After you remove the WordPress hacked files from your site, the search results on Google should normalize. You should then repeat the Google search, using the Advanced Search operators to check if any of the pages are still showing up in results.

Now, it wouldn’t be a surprise if some of the Pharma Hack results still show up. Google has been indexing your site for a while and it might take days or weeks for the damage to be undone. This could also mean that some hack files are still present on the servers so you should repeat the Pharma Hack Cleanup procedure.

Use Google Webmaster Tools


Google Webmaster Tools should be used to reindex the site after the Pharma Hack has been completely removed. The Index Status and Malware option can show you if the site is still flagged as infected by Google.

How to Scan your site for Pharma Hacked entries

There are a number of security plugins that can determine whether or not there is a malware infection on your site. As stated before, the Pharma Hack can be extremely difficult to catch, so it is completely possible that it will be missed by a security plugin.

There are also site scanners, that different companies provide for free.

How to force Google re-index your Pharma Hack Free WordPress Site

Submit a new sitemap

A sitemap contains a list of all of the pages and posts of your site. Submitting the sitemap might speed up the reindexing process. If you have a sitemap already present then try deleting it and re-submit. This will also remove all pharma related pages and URLs(if any).

Google’s Remove Outdated Content Tool

In case some pages are still indexed with the Pharma Hack, so they need to be submitted for removal. Even though your WordPress site is Pharma Hack free some of the hacked pages will still show in Google’s search result. Google now lets you ask to remove those outdated pages through the Remove Outdated Content tool. If that’s the case then copy the URL as shown in Google Search Results then paste inside the tool and ask for removal.

How to secure the site for any future hacking attacks

Every successful (or unsuccessful) hacking attempt starts by trying exploiting the weaknesses on the site. Most often, malware infection is possible because of using outdated or obsolete software, like outdated WordPress core, themes and plugins. Regular updates are an important step in increasing your site security.

After removing the malware, you might want to change FTP credentials, remove unknown users and limit the user privileges. It is also a good idea to implement a security plugin and to monitor your site.

We suggest you read our detailed article on How to Protect a WordPress site from being Hacked, it’s a long one but we’re certain it will help you secure your WordPress website from hacks like Pharma and Malware Redirects.

Repeat the Pharma Cleanup for all your WordPress sites

If you’re hosting more than one WordPress site under the same hacking account then you MUST clean all of the sites or else it will be hacked again and again. It’s very common for us to receive Hacked Fix Requests for a WordPress site only to find there 2 or more sites under the same hosting account. In this case, we suggest our clients let us clean them all or else we prefer to drop the request because we can’t guarantee that their site requested to be cleaned will stay clean in the near future.

Final Thoughts

The Pharma Hack has been around for a long time and it is always evolving. Removing it is always difficult and time-consuming, especially if the reinfection occurs. The steps for diagnosing and fixing the hack provided in this article should help you efficiently battle this problem and reduce the chances of it reoccurring in the future. However, if you are not sure that you have succeeded in removing the Pharma Hack and securing your site against the future hacking attempts, you might want to opt in for our WordPress Support and Maintenance Services. It may be an additional cost now, but it can save you the money in the long run.

If your WordPress site has been infected with the Japanese Hack then we suggest taking a look at our How To Identify And Fix The Japanese Keyword Hack guide.

Photo by JOSHUA COLEMAN on Unsplash

Leave a Reply

Your email address will not be published. Required fields are marked *