How to Detect and Fix WordPress Pharma Hack

Let’s face the truth – WordPress is the most appealing CMS for hackers. Over 810 million websites use the content management system, and sites running on it may become victims of malware attacks unless they take security measures to fight against it. A Pharma Hack (or Google Viagra Hack) is one of WordPress websites’ most common security risks. 

It’s easy to differentiate Pharma Hack from any other WordPress security breach. Did you search for your site and come across a strange pharma title showing up next to your site’s title? That is how the Pharm Hack works. Just in case it happens to you, keep calm and fix the issue using the steps we describe in this article. 

There are several ways to fix the Pharma Hack and prevent it from happening. There are also methods of getting rid of the results of this security breach without tweaking the code, which will sound appealing to non-techies. Still, let’s put things first and take a closer look at the definition of a Pharma Hack. What stands behind it?

What Is a Pharma Hack? 

Pharma hack, or Google Viagra hack, is a kind of SEO spam attack when legitimate websites are used to promote and sell illicit drugs like Viagra and Cialis. Whenever a website is infected with malware like the favicon.ico virus, it displays pharma ads for selling banned medicines. The Pharma hack is more dangerous because you won’t notice it when you open your site’s pages and look through its content. The texts and visuals are not always visible to a user. However, when you attempt to search your site through Google, you may be surprised by pharma texts you have never dealt with before.  

How Does the Pharma Hack Work?

Who is a potential victim of a Pharmaceutical hack? We’ve often said a website should be regularly updated to prevent security breaches and hacking attacks. The risk of a pharmaceutical hack isn’t an exception. Websites that neglect WordPress security, do not install recent updates, and have coding flaws are potential targets of pharmaceutical hacks. 

To advertise illegal content on your website, pharma hackers employ blackhat SEO techniques, leveraging other websites’ keyword rankings to drive traffic to their own. They integrate pharma keywords into the content and add redirects directly to pharma websites from your site’s pages. Additionally, they manipulate page titles to make your website appear as a pharmaceutical site in search results, as shown in the example below:

yourdomain.com > Buy Viagra Online
yourdomain.com > Cheap Cialis Pills

Furthermore, malicious code isn’t confined to CSS files and the frontend; it can also be hidden in root files such as index.php, config.php, .htaccess, wp-config.php, and others. This makes detecting such additions in your site’s HTML files extremely challenging. Consequently, search engines may blacklist your website once they discover this malicious code during their scanning process.

The main reasons why hackers target WordPress websites encompass a variety of nefarious purposes, including but not limited to:

• Selling or promoting drugs or illegal medications at lower prices, mainly targeting users in regions like the USA, where pharmaceuticals are significantly more expensive. This allows them to exploit price differentials and cater to users seeking affordable alternatives.
• Redirecting legitimate sites to malicious links compromises the affected websites’ security and trustworthiness. This tactic enables hackers to drive traffic to their malicious destinations, such as phishing pages or scam websites.
• Utilizing your website for hosting phishing pages is designed to trick unsuspecting visitors into divulging sensitive information such as login credentials, financial details, or personal data.

WordPress websites with high Domain Authority and low Spam Scores are particularly attractive to hackers because they can leverage the site’s established reputation to advance their malicious objectives. By infiltrating such reputable platforms, hackers can effectively amplify the reach and impact of their illicit activities.

Moreover, in the pharmaceutical industry, the allure of targeting WordPress sites lies in the potential to exploit the price differentials between countries, particularly targeting users in regions where medications are prohibitively expensive. This allows hackers to profit from selling drugs at more affordable prices, thus attracting a larger pool of customers.

Additionally, hacking WordPress sites may also serve as a tactic for undermining competitors by tarnishing their reputation or sabotaging their online presence. By compromising the security and integrity of rival websites, hackers can gain a competitive advantage or exact revenge in the fiercely competitive online landscape.

Ways to Detect WordPress Pharma Hack

In most cases, identifying a Pharma hack on your WordPress site can be initiated by various signs, such as running a simple Google search or receiving reports from your customers about encountering unexpected pop-ups redirecting them to illegal drug stores. Another red flag is noticing your site ranking for keywords unrelated to your industry. If you suspect foul play, follow these steps to determine if your site has fallen victim to a Pharma hack:

Google search with site: operator

To begin, conduct a Google search using the site: operator followed by your website’s domain. This search helps uncover any pharma-related words or pages indexed on your site.

Security Alerts at Google Search Console

Check for security alerts within Google Search Console. This tool provides insights into any security issues detected on your site, including indications of a Pharma hack.

Users Added at Google Search Console or WordPress

Keep an eye out for any unauthorized users added to your Google Search Console or WordPress account. Hackers may add themselves to gain control over your site’s settings and facilitate malicious activities.

Sitemap changed

Monitor changes to your website’s sitemap. If altered unexpectedly, it could indicate unauthorized modifications, potentially related to a Pharma hack. Verify the sitemap’s content to accurately reflect your site’s structure and content.

WordPress Files changed

Regularly inspect your WordPress files for any unauthorized modifications. Attention critical files like index.php, .htaccess, wp-config.php, and others. Any unauthorized changes could signify a Pharma hack.

Redirects to the pharma websites

Check for any redirects from your site to pharma websites. If any of your site’s pages redirect users to unauthorized pharmaceutical sites, it clearly indicates a Pharma hack.

More than one .htaccess file

Inspect your website’s directory for multiple .htaccess files. Having more than one could indicate a Pharma hack, particularly if one of the files contains directives for unauthorized redirects or other malicious activities.

Changing in traffic

Be vigilant for fluctuations in your site’s traffic, particularly sudden decreases. Redirects to pharma websites can divert traffic away from your site, resulting in noticeable decreases in analytics data.

By proactively monitoring these indicators and promptly addressing any suspicious activity, you can mitigate the impact of a Pharma hack and safeguard your WordPress site’s integrity and reputation.

How to Fix Pharma Hack

To fix the “Pharma Hack,” there are three primary approaches: hiring web developers, using plugins, and manual cleanup. However, it’s crucial to note that only one method can provide a 100% guarantee of a clean website: hiring web developers for website maintenance.

Hire Web Developers

Hiring web developers is often the most effective way to ensure a thorough and lasting solution to the Pharma Hack issue. Web developers possess the expertise to analyze the code, identify vulnerabilities, and implement robust security measures. Businesses can ensure continuous monitoring and prompt response to security threats by entrusting website maintenance to professionals. This approach offers a comprehensive solution tailored to the website’s specific needs, reducing the risk of future attacks.

The process typically involves:

• Initial assessment. Web developers assess the website’s current state, identify vulnerabilities, and determine the extent of the Pharma Hack.
• Remediation plan. A detailed plan is devised to address the identified vulnerabilities and implement necessary security measures.
• Implementation. Web developers execute the remediation plan, which may involve updating software, patching vulnerabilities, and enhancing security protocols.
• Ongoing maintenance. Regular website maintenance and monitoring are crucial to maintaining the website’s security posture. Web developers provide continuous support to address emerging threats and ensure optimal performance.

To ensure comprehensive website maintenance and protection against hacks, hire a web developer for website maintenance at IT Monks.

Detecting and Cleaning Pharma Hack with a Plugin 

MalCare is one of the best WordPress malware scanners in the industry. With its help, you can detect the hacks and security breaches other plugins fail to discover. 

• To get started, you need to sign up and MalCare will start scanning your website for malicious code instantly. 
• In the next step, you need to clean your website. Removing malware with MalCare is easy while simply enabling the Autoclean option. 

It takes under 60 seconds to scan your website and detect and clean malware if it’s found. 

Manual Pharma Fix Step-by-Step

This method won’t work for users without idea about WordPress, PHP, HTML, and JavaScript. It also takes more time to detect malware manually, so using a malware scanner plugin is better if you have limited time. 

Regardless of the two methods you choose and how skilled you are, backup your WordPress site before starting a malware check. A minor mistake may put your site at risk of crashing. Playing safe and having a backup with a working version of your site is always a good idea. 

Once ready, take the following steps to manually run a malware scan on your site. 

1. WebSite Backup

Creating a website backup is crucial before making any changes to ensure you can revert to a previous version if anything goes wrong during the cleanup process. Backups capture the entire state of your website, including files, databases, and configurations. This step provides a safety net and peace of mind throughout the cleanup process.

2. Review the Core Files

Inspecting core files involves examining essential files in your WordPress installation for any signs of malicious code or unauthorized changes. This includes files like index.php, wp-config.php, and .htaccess, which hackers often target to inject malicious scripts or redirect traffic to spammy sites. By carefully reviewing these files, you can identify and remove any suspicious code inserted by the Pharma Hack.

• index.php: This file is the main entry point for your WordPress site. Look for any unfamiliar code at the beginning or end of the file and any base64-encoded or obfuscated code that may indicate malicious activity.
• wp-config.php: This file contains sensitive information about your WordPress installation, such as database credentials. Check for any unauthorized changes, such as additional database connections or users, which could indicate a security breach.
• .htaccess: The .htaccess file controls server configurations and can be used to redirect traffic or manipulate URLs. Look for any unexpected redirects or rewrite rules, especially those related to pharmaceutical products, as these could be signs of the Pharma Hack.

3. Check Theme and Plugin Directories

Themes and plugins are common targets for hackers due to their widespread use and potential vulnerabilities. Inspecting these directories helps identify any malicious code injected into theme or plugin files.

• Themes: Navigate to the wp-content/themes directory and inspect each theme folder. Look for added code in files like functions.php, especially at the beginning or end of files, as well as any additional files that don’t belong to the theme.
• Plugins: Similarly, go to wp-content/plugins and review each plugin folder. Check the main plugin file for unfamiliar code and look for any extra files that hackers may have added.

4. Database Check

Accessing your WordPress database allows you to inspect user accounts and other data for any unauthorized changes made by hackers.

• wp_users table: Check for any unauthorized user accounts that hackers may have created. Look for unfamiliar usernames or suspicious activity.
• Other tables: Review other tables in the database for any malicious entries or changes made by hackers. Pay attention to areas like post content, comments, and settings that may have been altered.

5. Search for Malicious Files

Using FTP or a file manager, search through your website’s files to identify any suspicious files or directories that may have been added by hackers.

• Suspicious file names: Look for files like shell.php or backdoor.php, which hackers commonly use to gain unauthorized access to websites.
• Uploads directory: Check the uploads directory for any unexpected files that don’t belong to your WordPress installation, as hackers may use this directory to store malicious files.

6. Sitemap Spam Pages Remove

If the Pharma Hack has created spammy URLs in your website’s sitemap, remove them to prevent search engines from indexing them. Spammy URLs can harm your site’s SEO and reputation, so cleaning them up is essential.

7. Remove Unfamiliar Users

Identify and remove any unfamiliar user accounts from both your WordPress dashboard and Google Search Console. Hackers may create new user accounts with similar email addresses to blend in with legitimate users, so reviewing user lists and removing suspicious accounts is crucial.

8. Password Reset

Changing passwords for all user accounts, as well as for your hosting account, FTP, and database, helps prevent unauthorized access to your website. Strong, unique passwords are essential for maintaining security, so make sure to choose complex passwords and update them regularly to mitigate the risk of future attacks.

Steps to Take After Cleaning Your Site

After cleaning your website from any hacks or security vulnerabilities, it’s essential to take certain steps to ensure that search engines recognize your site as clean and safe for visitors. Here are the steps to follow:

1. Clean Cache

Clearing your website’s cache is important to ensure visitors see your site’s updated, clean version. Even if you’ve cleaned all the hacked pages, cached versions may still display the hacked content. Remember that it may take some time for search engines to update their caches, so be patient and monitor the situation regularly.

2. Index Pages

After cleaning your website, it’s essential to reindex the pages to notify search engines, particularly Google, about the changes. You can do this using Google Search Console (GSC) or the Indexing API. By reindexing your pages, you ensure that search engines crawl and index the clean versions of your website, which can help improve your site’s visibility in search results.

3. Ping Google about Clean up

In addition to reindexing your pages, it’s a good practice to inform Google directly about the cleanup process. This can be done by submitting a validation request through Google Search Console. If Google has flagged any pages with security alerts, addressing them and requesting a reevaluation once the cleanup is complete is important. Validating the fix in Google Search Console helps ensure that search engines and visitors perceive your website as secure and trustworthy.

How Websites Become Affected by Pharma Hack

Pharma Hacks typically occur due to website security vulnerabilities, often exploiting weaknesses in popular platforms like WordPress. Here’s how it might happen:

• Outdated Software. Failure to update WordPress core, themes, and plugins regularly leaves websites vulnerable to exploits. Hackers often target outdated software to gain unauthorized access to websites.
• Weak Passwords. Using weak or easily guessable passwords for WordPress admin accounts and hosting accounts increases the risk of brute-force attacks. Hackers can exploit weak passwords to gain control of websites and inject malicious code.
• Insecure Plugins and Themes. Installing plugins and themes from unreliable sources or using poorly coded extensions can introduce website security vulnerabilities. Hackers exploit these vulnerabilities to insert Pharma Hack scripts into websites.
• Lack of Security Measures. Websites lacking essential security measures such as firewalls, malware scanners, and intrusion detection systems are more susceptible to Pharma Hacks. Hackers can infiltrate websites undetected without proper protection and carry out malicious activities.
• Unsecured File Uploads. Allowing users to upload files to your website without proper validation and security checks can lead to the upload of malicious files. Hackers may exploit this vulnerability to upload Pharma Hack scripts disguised as legitimate files.
• SQL Injection and Cross-Site Scripting (XSS). Failure to sanitize user inputs and validate data can expose websites to SQL injection and XSS attacks. Hackers use these techniques to inject malicious code into websites and execute unauthorized actions.

To prevent Pharma Hacks and other security breaches, it’s crucial to implement robust security measures and follow best practices for WordPress security. Regularly updating software, using strong passwords, vetting plugins and themes, and employing security plugins are essential steps to protect websites from cyber threats.For more information on WordPress security and how to safeguard your website against Pharma Hacks, check out our comprehensive guide on WordPress security.

Bottom Line

It’s not an easy thing to clean a hacked site. However, it’s a vital procedure that you should complete to keep it running properly, have strong positions in search engines, and provide your customers with an enjoyable and safe browsing experience.

Detecting and fixing WordPress Pharma hacks using a security plugin is one of the most effective and quickest ways of deleting malicious code from your site. Besides, you should also keep all plugins and themes installed on your site always updated. Using a strong WordPress password is the very least step that you can take to avoid security breaches in the future.