Fixing the Pharma Hack – WordPress Edition

Feb 03 2015 Featured Content, Tutorials

“Cheap viagra and cialis!”

Ugh. So, you have fallen victim to a pharma hack. Relax… those “hackers” aren’t as smart as you think.

The Hack

While it comes in many flavors, the pharma hack generally shows itself as a visible link somewhere in your header, navigation, or body copy. You may have noticed the link on a page, or (yikes!) seen it appear as a sitelink or search result for your website in Google. While the “how” may not be immediately evident, the “why” is fairly universal – these trespassers want to leverage your website to gain visibility and clicks for their pharmaceutical ads.

How the $@#! did they do that?!

Well, while you remembered to lock the front door, someone left a back door wide open. So, your task is to find that back door, brick it over and seal it for all time. Then make sure the windows are locked too.

There are a few main areas to look for the culprit – your theme, your plugins, your uploads folder, and finally your database.

Pest Control – Theme

To test your theme, simply deactivate it and activate WordPress’ default theme. Then visit the page and see if the little bugger shows itself on screen or within the source code. If you can no longer find the hack when viewing your site code, you have found the problem – consider yourself lucky, since it should be an easy fix. Simply load an uncompromised backup of your theme or review your files to find the offending code – it will generally look like a large block of PHP gibberish using functions like eval() and base64_decode(), though this isn’t always the case. Check the “functions.php” file first – that is a popular place for offending code.

Pest Control – Plugins

With all of the free plugins out there, it’s no wonder that some fall prey to malicious code. Being sure to keep your installation of WordPress, various plugins, and themes up to date is a good way to prevent infections, but won’t stop them all. To test your plugins, either deactivate them all through the “Plugins” administration area, or create a folder in the “wp-content/plugins” folder and move all of the plugins there temporarily (this will automatically deactivate all of your plugins). If the hack disappears, go ahead and reactivate your plugins one-by-one until it shows back up, then remove or update that plugin. I have heard that the “Akismet” spam plugin is targeted regularly (the irony isn’t lost on me), so you may want to check there first if it’s installed/active.

Pest Control – Uploads Folder

Since the “uploads” folder generally has writable permissions set, it can be a popular place for hacks. Look in the root and the various upload folders for any PHP files that should not be there (usually there aren’t any PHP files at the folder root) and quarantine/review and delete those you find.

Pest Control – Database

Okay, so your database may be infected if you haven’t been able to locate the offender using the methods above. Go ahead and backup your current database if you haven’t already – you don’t want to accidentally delete something and grenade the whole website. So, with your backup in pocket, head on over to phpMyAdmin (or whatever database management software you or your host is using) and access your WordPress database. Aim your sights at the “wp-options” table – this is generally where the malicious code is stored and where the spam is most likely being loaded from. If you are familiar with the structure and content that should be present in the “wp-options” table, go ahead and review the entries manually until you find something that doesn’t belong. Otherwise, I would suggest performing a search for some of the “option_name” entries listed here.

Security and Prevention

So, we have closed all of the back doors at this point – now we just need to slide the deadbolts. Securing your WordPress site is key to preventing these kind of unwarranted intrusions. There are many free plugins available that can accomplish this, like All In One WP Security & Firewall for example. This plugin provides many options for locking down your website’s files and database, along with protection from brute force attacks against your login form.

  • Earnest_M

    Hey, great article. I did end up finding the code inside the functions.php file. I deleted it and I haven’t been able to see it anywhere else. I’ve also gone and installed and configured All In One WP Security. Will that be enough?

    • digitaltapfl

      It will definitely make it harder for them to do it! All In One WP Security & Firewall provides enough security to dissuade the majority of “hackers”. They generally target your login form and/or vulnerabilities within plugins and themes, so I would be sure to use the “Rename Login Page Feature” and configure the “Firewall” and “Filesystem Security” settings. You would not believe how many “hackers” try to break your login page – simply activating the failed login notification feature for a few days will blow your mind. Also be sure to use very strong passwords (All In One provides a generator to help with this) and keep your plugins, themes, and version of WordPress up to date.

      Thanks for reading!

      • Earnest_M

        Thanks for the swift reply. Do you know anything about updating your website through webmaster to get the search description updated without the annoying cialis, pay day loan stuff?

        • digitaltapfl

          Check out this resource provided by Google, it may provide some answers:

          Otherwise, Google will reindex your website eventually, and the hacked text will disappear from search results. Google indexes much quicker these days, so it probably wouldn’t take to long.

          • Earnest_M

            Thanks again. Well, All In One… is working. Just had 5 site lockout notifications.

  • Shaun Butler

    So, with the hack affecting Google results, how do you know if you’ve actually fixed it? Surely only time will tell once Google crawls your site again?

    • digitaltapfl

      Exactly – you will need to wait for Google to index your website again. If you fixed the problem, the search results will reflect that.

  • Scott K

    Using your google webmaster tool, you can initiate a googlebot to fetch and render your site as the googleBot sees your site, then you know you have nailed it…scott

  • pharma hack. Wordfence free version spotted five files with bad code-
    and showed the code, and securi noted the same files were changed.

    the files are in the wp-includes directory

    However, nothing about the database.

    The files cannot be removed without bringing down the site.

  • Kris Johnson

    I did fetch as google, got a list of the offending url’s and added them to the dynamic assembled robots.txt function in functions.php. Plus I added preg_match in the main index.php at the top to look at $_SERVER[‘REQUEST_URI’] to find viagra – cilalis, etc. and replace it with the normal web url of my home page.