How to Detect and Fix WordPress Pharma Hack

Let’s face the truth – WordPress is the most appealing CMS for hackers. More than 65% of websites available on the present-day web use, the content management system and sites running on it may become victims of malware attacks unless they take the needed security measures to fight against malware attacks. A Pharma Hack (also known as Google Viagra Hack) is one of the most common security risks for WordPress websites. 

It’s easy to differentiate Pharma Hack from any other WordPress security breach. Did you search for your site and came across a strange pharma title showing up next to your site’s title? That is how the Pharm Hack works. Just in case it happens to you, keep calm and fix the issue with the help of the steps we describe in this article. There are several ways to fix the Pharma Hack and prevent it from happening in the future. There are also methods of getting rid of the results of this security breach without tweaking the code, which will sound appealing to non-techies. Still, let’s put first things first and take a closer look at the definition of the Pharma Hack. What stands behind it? 

What Is a Pharma Hack? 

Pharma hack, or Google Viagra hack, is a kind of SEO spam attack when legitimate websites are used to promote and sell illicit drugs like Viagra and Cialis. Whenever a website is infected with a malware like the favicon.ico virus, it starts displaying pharma ads for selling banned medicines. The thing that makes the Pharma hack more dangerous is that you won’t notice it when you open any of your site’s pages and look through its content. The texts and visuals are not always visible to a user. However, when you attempt to find your site through Google search, you may be surprised by seeing pharma texts that you have never dealt with before. 

How Does the Pharma Hack Work?

Who is a potential victim of a Pharma hack? Many times, we’ve already said that a website should be regularly updated to prevent security breaches and hacking attacks. The risk of a pharma hack isn’t an exception. Websites that neglect WordPress security, do not install the recent updates, and have coding flaws are the potential target of pharma hacks. 

To advertise illegal content on your website, pharma hackers use blackhat SEO techniques, which use other websites’ keyword ranking to drive traffic to their own. They also hide the malicious code within the CSS files and in the frontend, making it impossible for you to notice such additions in the HTML files of your site. Even though you won’s such additions to your website’s code, search engines will get your website blacklisted once they find malicious code after scanning your site. 

The main reasons why hackers target WordPress websites include any or all of the following purposes:

• To sell or promote drugs or illegal medications;
• To redirect a legit site to malicious links;
• To use your website for hosting phishing pages.

WordPress websites with a good Domain Authority and low Spam Score are especially appealing to hackers. They can take advantage of your site’s reputation for bringing their malicious purposes to life. 

A website that experiences this kind of hack is likely to experience such implications as: 

• Getting blacklisted by Google. The search engine will reveal an alert message in search results for all visitors; 
• Your website will be treated as spammy if you don’t clean it for long; 
• In rare cases, Google bans websites from being displayed in search results;
• You may also notice a drop in search engines for the keywords you are targeting;
• High bounce rate;
• Web host suspensions;
• Getting your website blacklisted by email providers;
• A major decline in your brand’s image and reputation.

All of these consequences will take you some time and effort to be fixed. So, it’s better to prevent them from happening in advance while taking several basic steps to detect WordPress pharma hacks. 

Ways to Detect WordPress Pharma Hack

In most cases, you will find out that your WordPress site experiences a Pharma hack by running a simple Google search or finding out from your customers that something weird pop-ups are redirecting them to illegal drug stores. Another reason to feel worried about is while noticing that your site starts ranking for keywords that have little to no relation to your industry. If you suspect that something goes wrong with your WordPress site, consider taking the following steps to check if you have become a victim of a Pharma hack. 

• Search for the name of your site in Google and use the terms of banned drags next to your domain name. 
• Find your website through Google search and visit it. If you are redirected to a different web page, you have become a victim of a redirect hack, which is another form of the Pharma hack. 
• Visit your site from a phone. In many cases, hackers target the mobile versions of websites.
• Check your site inside Google Search Console. 
• Use a malware scanner. 

The last point seems to be the most effective for detecting hidden malicious code on your site on the server level. 

2 Ways to Fix a Pharma Hack 

There are 2 ways to fix the WordPress Pharma hack: 

• The easiest way is while using a plugin;
• Running a manual scan is a more complicated method that requires some technical skills.

Let’s take a closer look at each of these methods and how to fix the WordPress Pharma hack step-by-step. 

Detecting and Cleaning Pharma Hack with a Plugin 

MalCare is one of the best WordPress malware scanners in the industry. With its help, you can detect the hacks and security breaches that other plugins fail to discover. 

• To get started, you need to sign up and MalCare will start scanning your website for malicious code instantly. 
• In the next step, you need to clean your website. Removing malware with MalCare is easy while simply enabling the Autoclean option. 

It takes under 60 seconds to scan your website and detect and clean malware if it’s found. 

Manual Scan

This method won’t work for users who have no idea about WordPress, PHP, HTML, and JavaScript. It also takes more time to detect malware manually, so it’s better to use a malware scanner plugin if you have limited time. 

No matter which of these two methods you choose and how skilled you are, backup your WordPress site before starting a malware check. A minor mistake may put your site at the risk of crashing. It’s always a good idea to play safe and have a backup with a working version of your site. 

Once ready, take the following steps to run a malware scan on your site manually. 

#1 Download .php files

In most cases, a Pharma hack is found in such .php files as index.php, footer.php, and header.php. To download any of these, take the following steps: 

• In your web host account, navigate to cPanel > File Manager > public_html > index.php. Download the file with the right-click on it. 
• To download the header.php file, navigate to cPanel > File Manager > public_html > Themes. Open the theme you use on your site and download the header.php file with the right-click. The footer.php file is placed in the same location. Right-click to download. 

#2 Download the original copy of .php files

Follow this link to download the index.php file, which is part of the core WordPress files. Ensure that you download the same version that is used on your site.

The footer.php and header.php files are part of the WordPress theme installed on your site. If you use a premium theme, you will need to get a copy of your theme from the marketplace where you bought it. If you work with a free WordPress theme, you can get a copy at wordpress.org. 

#3 Run the Diff Check 

To begin with, navigate here to download Diffchecker to upload both versions of .php files and run the diff check. If you find files that were not included in the original files, it’s likely that they are part of the Pharma hack. The most common functions that you can find in malicious scripts include:

• eval
• base64_decode
• gzinflate
• preg_replace
• str_rot13
• exec 
• system 
• assert 
• stripslashes 
• Move_uploaded_file

Ensure that you do not remove any code unless you are 100% confident that it’s malicious. 

You should also mind that Diffchecker is not a 100% replacement for malware scanners. What it does is letting you identify malicious scripts through the elimination process. If you remove some snippets that were not affected by the hack, you could end up wrecking your site. That’s why getting a backup version of your site saved on a cloud service is always a win-win idea. 

Steps to Take After Cleaning Your Site

In many cases, WordPress Pharma hacks hit your site due to the vulnerabilities in plugins and themes that you have installed on it. If you do not take care of them, you risk getting the Pharma hack back on your site. Take the following steps to avoid it from happening ever again. 

• Update your WordPress theme and plugins. 
• Get rid of inactive plugins and themes. 
• Delete all nulled plugins and themes. 

You should also take care of detecting and removing rogue admin accounts, which hackers commonly create to reach your site’s admin area after it’s been cleaned. 

Bottom Line

It’s not an easy thing to clean a hacked site. However, it’s a vital procedure that you should complete to keep it running properly, have strong positions in search engines, and provide your customers with an enjoyable and safe browsing experience.

Detecting and fixing WordPress Pharma hacks using a security plugin is one of the most effective and quickest ways of deleting malicious code from your site. Besides, you should also keep all plugins and themes installed on your site always updated. Using a strong WordPress password is the very least step that you can take to avoid security breaches in the future. 

FAQ