How to Detect and Fix WordPress Pharma Hack

Let’s face the truth – WordPress is the most appealing CMS for hackers. Over 810 million websites use the content management system, and sites running on it may become victims of malware attacks unless they take security measures to fight against it. A Pharma Hack (or Google Viagra Hack) is one of WordPress websites’ most common security risks. 

It’s easy to differentiate Pharma Hack from any other WordPress security breach. Did you search for your site and come across a strange pharma title showing up next to your site’s title? That is how the Pharm Hack works. Just in case it happens to you, keep calm and fix the issue with the help of the steps we describe in this article. 

There are several ways to fix the Pharma Hack and prevent it from happening. There are also methods of getting rid of the results of this security breach without tweaking the code, which will sound appealing to non-techies. Still, let’s put first things first and take a closer look at the definition of the Pharma Hack. What stands behind it?

What Is a Pharma Hack? 

Pharma hack, or Google Viagra hack, is a kind of SEO spam attack when legitimate websites are used to promote and sell illicit drugs like Viagra and Cialis. Whenever a website is infected with a malware like the favicon.ico virus, it displays pharma ads for selling banned medicines. The Pharma hack is more dangerous because you won’t notice it when you open your site’s pages and look through its content. The texts and visuals are not always visible to a user. However, when you attempt to search your site through Google, you may be surprised by pharma texts you have never dealt with before.  

How Does the Pharma Hack Work?

Who is a potential victim of a Pharma hack? We’ve often said a website should be regularly updated to prevent security breaches and hacking attacks. The risk of a pharma hack isn’t an exception. Websites that neglect WordPress security, do not install recent updates and have coding flaws are the potential target of pharma hacks. 

To advertise illegal content on your website, pharma hackers use blackhat SEO techniques, which use other websites’ keyword rankings to drive traffic to their own. They also hide the malicious code within the CSS files and in the frontend, making it impossible for you to notice such additions in the HTML files of your site. Search engines will get your website blacklisted once they find malicious code after scanning your site. 

The main reasons why hackers target WordPress websites include any or all of the following purposes:

• To sell or promote drugs or illegal medications;
• To redirect a legit site to malicious links;
• To use your website for hosting phishing pages.

WordPress websites with good Domain Authority and low Spam Scores are especially appealing to hackers. They can use your site’s reputation to bring their malicious purposes to life. 

A website that experiences this kind of hack is likely to experience such implications as: 

• Getting blacklisted by Google. The search engine will reveal an alert message in search results for all visitors; 
• Your website will be treated as spammy if you don’t clean it for long; 
• In rare cases, Google bans websites from being displayed in search results;
• You may also notice a drop in search engines for the keywords you are targeting;
• High bounce rate;
• Web host suspensions;
• Getting your website blacklisted by email providers;
• A major decline in your brand’s reputation.

All of these consequences will take some time and effort to fix. So, preventing them from happening in advance while taking several steps to detect WordPress pharma hacks is better.

Ways to Detect WordPress Pharma Hack

In most cases, you will find out that your WordPress site experiences a Pharma hack by running a simple Google search or finding out from your customers that something weird pop-ups are redirecting them to illegal drug stores. Another reason to feel worried is while noticing that your site starts ranking for keywords that have little to no relation to your industry. If you suspect something goes wrong with your WordPress site, consider taking the following steps to check if you have become a victim of a Pharma hack. 

• Search for the name of your site in Google and use the terms of banned drags next to your domain name. 
• Find your website through Google search and visit it. If you are redirected to a different web page, you have become a victim of a redirect hack, which is another form of the Pharma hack. 
• Visit your site from a phone. In many cases, hackers target mobile versions of websites.
• Check your site inside Google Search Console. 
• Use a malware scanner. 

The last point seems to be the most effective for detecting hidden malicious code on your site on the server level. 

2 Ways to Fix a Pharma Hack 

There are 2 ways to fix the WordPress Pharma hack: 

• The easiest way is while using a plugin;
• Running a manual scan is a more complicated method that requires some technical skills.

Let’s take a closer look at each of these methods and how to fix the WordPress Pharma hack step-by-step. 

Detecting and Cleaning Pharma Hack with a Plugin 

MalCare is one of the best WordPress malware scanners in the industry. With its help, you can detect the hacks and security breaches other plugins fail to discover. 

• To get started, you need to sign up and MalCare will start scanning your website for malicious code instantly. 
• In the next step, you need to clean your website. Removing malware with MalCare is easy while simply enabling the Autoclean option. 

It takes under 60 seconds to scan your website and detect and clean malware if it’s found. 

Manual Scan

This method won’t work for users without idea about WordPress, PHP, HTML, and JavaScript. It also takes more time to detect malware manually, so using a malware scanner plugin is better if you have limited time. 

Regardless of the two methods you choose and how skilled you are, backup your WordPress site before starting a malware check. A minor mistake may put your site at risk of crashing. Playing safe and having a backup with a working version of your site is always a good idea. 

Once ready, take the following steps to run a malware scan on your site manually. 

#1 Download .php files

A Pharma hack is usually found in such .php files as index.php, footer.php, and header.php. To download any of these, take the following steps: 

• In your web host account, navigate to cPanel > File Manager > public_html > index.php. Download the file with the right-click on it. 
• To download the header.php file, navigate to cPanel > File Manager > public_html > Themes. Open the theme you use on your site and download the header.php file with the right-click. The footer.php file is placed in the same location. Right-click to download. 

#2 Download the original copy of .php files

Follow this link to download the index.php file, part of the core WordPress files. Ensure that you download the same version that is used on your site.

The footer.php and header.php files are part of the WordPress theme installed on your site. If you use a premium theme, you must get a copy of your theme from the marketplace where you bought it. If you work with a free WordPress theme, you can get a copy at wordpress.org. 

#3 Run the Diff Check 

To begin with, navigate here to download Diffchecker to upload both versions of .php files and run the diff check. If you find files that were not included in the original files, they are likely part of the Pharma hack. The most common functions that you can find in malicious scripts include:

• eval
• base64_decode
• gzinflate
• preg_replace
• str_rot13
• exec 
• system 
• assert 
• stripslashes 
• Move_uploaded_file

Ensure you do not remove any code unless you are 100% confident it’s malicious. 

You should also mind that Diffchecker is not a 100% replacement for malware scanners. What it does is letting you identify malicious scripts through the elimination process. If you remove some snippets not affected by the hack, you could end up wrecking your site. That’s why saving a backup version of your site on a cloud service is always a win-win idea. 

Steps to Take After Cleaning Your Site

In many cases, WordPress Pharma hacks hit your site due to the vulnerabilities in plugins and themes that you have installed on it. If you do not care for them, you risk getting the Pharma hack back on your site. Take the following steps to avoid it from happening ever again. 

• Update your WordPress theme and plugins. 
• Get rid of inactive plugins and themes. 
• Delete all nulled plugins and themes. 

You should also detect and remove rogue admin accounts, which hackers commonly create to reach your site’s admin area after it’s been cleaned. 

Bottom Line

It’s not an easy thing to clean a hacked site. However, it’s a vital procedure that you should complete to keep it running properly, have strong positions in search engines, and provide your customers with an enjoyable and safe browsing experience.

Detecting and fixing WordPress Pharma hacks using a security plugin is one of the most effective and quickest ways of deleting malicious code from your site. Besides, you should also keep all plugins and themes installed on your site always updated. Using a strong WordPress password is the very least step that you can take to avoid security breaches in the future.