Fixing the Pharma Hack – WordPress Edition
“Cheap viagra and cialis!”
Ugh. So, you have fallen victim to a pharma hack. Relax… those “hackers” aren’t as smart as you think.
While it comes in many flavors, the pharma hack generally shows itself as a visible link somewhere in your header, navigation, or body copy. You may have noticed the link on a page, or (yikes!) seen it appear as a sitelink or search result for your website in Google. While the “how” may not be immediately evident, the “why” is fairly universal – these trespassers want to leverage your website to gain visibility and clicks for their pharmaceutical ads.
How the $@#! did they do that?!
Well, while you remembered to lock the front door, someone left a back door wide open. So, your task is to find that back door, brick it over and seal it for all time. Then make sure the windows are locked too.
There are a few main areas to look for the culprit – your theme, your plugins, your uploads folder, and finally your database.
Pest Control – Theme
To test your theme, simply deactivate it and activate WordPress’ default theme. Then visit the page and see if the little bugger shows itself on screen or within the source code. If you can no longer find the hack when viewing your site code, you have found the problem – consider yourself lucky, since it should be an easy fix. Simply load an uncompromised backup of your theme or review your files to find the offending code – it will generally look like a large block of PHP gibberish using functions like eval() and base64_decode(), though this isn’t always the case. Check the “functions.php” file first – that is a popular place for offending code.
Pest Control – Plugins
With all of the free plugins out there, it’s no wonder that some fall prey to malicious code. Being sure to keep your installation of WordPress, various plugins, and themes up to date is a good way to prevent infections, but won’t stop them all. To test your plugins, either deactivate them all through the “Plugins” administration area, or create a folder in the “wp-content/plugins” folder and move all of the plugins there temporarily (this will automatically deactivate all of your plugins). If the hack disappears, go ahead and reactivate your plugins one-by-one until it shows back up, then remove or update that plugin. I have heard that the “Akismet” spam plugin is targeted regularly (the irony isn’t lost on me), so you may want to check there first if it’s installed/active.
Pest Control – Uploads Folder
Since the “uploads” folder generally has writable permissions set, it can be a popular place for hacks. Look in the root and the various upload folders for any PHP files that should not be there (usually there aren’t any PHP files at the folder root) and quarantine/review and delete those you find.
Pest Control – Database
Okay, so your database may be infected if you haven’t been able to locate the offender using the methods above. Go ahead and backup your current database if you haven’t already – you don’t want to accidentally delete something and grenade the whole website. So, with your backup in pocket, head on over to phpMyAdmin (or whatever database management software you or your host is using) and access your WordPress database. Aim your sights at the “wp-options” table – this is generally where the malicious code is stored and where the spam is most likely being loaded from. If you are familiar with the structure and content that should be present in the “wp-options” table, go ahead and review the entries manually until you find something that doesn’t belong. Otherwise, I would suggest performing a search for some of the “option_name” entries listed here.
Security and Prevention
So, we have closed all of the back doors at this point – now we just need to slide the deadbolts. Securing your WordPress site is key to preventing these kind of unwarranted intrusions. There are many free plugins available that can accomplish this, like All In One WP Security & Firewall for example. This plugin provides many options for locking down your website’s files and database, along with protection from brute force attacks against your login form.