WordPress is considered as the best Content Management System (CMS). Being a popular CMS platform, WordPress powered websites are the most attractive target for hackers. In 2010, Pharma hack was one of the serious threat to WordPress sites. Although WordPress themes like The Thesis Theme team, StudioPress Themes, and WordPress core developers are trying to make it more secure, so its the best practice to keep your WordPress powered site always up to date and use the online tools like Sucuri to know more about the latest threats and Malware to make it more safe and secure.

What is a Pharma Hack

If your website looks like pharmacy related website instead of helpful Web resource or not displaying your content on searching of keywords on Google or other search engines, Its mean your site is affected by WordPress Pharma hack. The users when trying to search your website with a required keyword, the search engine will not display your site, it will display pharmaceuticals companies related web pages.

According to Pearsonified: who was effected by WordPress pharma hack also written a detailed article on WordPress Pharma hack.

The WordPress pharma hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spammy links into the page content. Interestingly, the modified title tag and spammy links are only visible to search engines.

hacked search results

The three red arrows highlight <title> tags that were cloaked by the WordPress pharma hack.

This is the big loss for site owners because they tried enough to get good traffic, but they never know their traffic is not coming from search engines and traffic going down every day because hackers have put their malicious code in your web pages that replacing your links and Google description by stealing search links.

There are a lot of tutorials and articles on Preventing WordPress powered website from hackers. Some of the best tutorials available on WPArena are:

Today, I am simply going to compile a list of useful articles and tutorials along with tips and tricks for diagnoses, fixes, and prevention of  WordPress Pharma Hack.

Understanding WordPress Pharma Hack Penetration

There are different ways attackers insert the malicious code into a WordPress file to get control over the database, plugins files even on WordPress core files like adding code in .htaccess file. According to Sucuri which can provide the best protection service for your websites and web servers, there are three parts for WordPress pharma hack to add malicious code:

  •  The backdoor that allows the attackers to insert files and modify the database.
  •  Backdoor inside one (or more) plugins to insert the spam.
  •  Backdoor inside the database used by the plugins.

If you fix one of the three but forget about the rest, you’ll most likely be reinfected, and the spam will continue to be indexed.

As always, we recommend that you update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure; it’s when you’re running old versions, and out of date plugins/themes that run into trouble. Keep your stuff up to date, and it will minimize the risk of infection significantly.

[Source: Understanding and Cleaning the Pharma hack on WordPress]

For all other Web page security Golem Technologies. On the other hand, according to Pearsonified, this kind of attacks happened in two parts: There are malicious files in the WordPress plugins folder which contain identifiable PHP functions like  eval() and base64_decode() but this kind of hack is not the exception for such kind of hack. The only difference with Pharma hack inclusion, these functions stored in the WordPress database as strings, and they’re encoded backward!  which open the backdoor for a further run the string from the database. At runtime, a hack file in the plugins folder pulls these strings from the database, flips ‘em, and then runs ‘em as functions, and that’s how the deed gets done.

The hack pings Google Blog Search with queries like this one to see how many links a particular page has, and then it stores the results in the database. At runtime, the hack uses the number of links to determine which pages to target. [Source: WordPress Pharma hack ]

WordPress Pharma Hack Affects

In most (not all) cases the spammy links and/or content is cloaked or hidden from the visitors of your site, it is only visible to search engine bots.  When a search engine bot makes a request for a page on your site in addition to the page being requested a search engine bot will identify itself in the user agent field.  Scripting languages such as PHP and javascript can read this value and determine when the request is coming from a search engine bot.

The form of the pharma hack varies from site to site, it can hit a single page or 1000s of pages, on some sites the hackers add 100s of hidden links to on-line pharmacy sites to the legitimate pages of a site.  On other sites, the hackers use a cloaked or conditional hack which returns the spammy content only to a search engine bot.  Another common method is to add a PHP file to the site that returns the spammy content. The methods for accomplishing a pharma hack also vary from site to site, from some generic methods effective against all sites to more specific ways that target the sites’ CMS such as WordPress or Joomla. [Source: Spam Hacks, The Pharmacy Hack, The Porn Hack]

According to a research Pharma Hack typically affects websites in three ways:

  1. Results are visible on search engines only
  2. Tough to eliminate
  3. Highest ranked pages are targeted

Detail: Web security – SEO poisoning- pharma hack

Jaspal Sahota given detail WordPress Pharma hacks effects on .htaccess file with other  vulnerabilities: If you know how to read the .htaccess file, you’ll see that the planted code only works when the visitor is coming from Google, AOL or Yahoo):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond /home/xyz/public_html/common.php -f
RewriteRule ^.*$ /common.php [L]
</IfModule>

Again, the final file (common.php) was planted. [Source: Pharmahack]

Protecting Your Site from WordPress Pharma Hack

There is a very useful article on WordPress prevention at FAQ_My_site_was_hacked. On the following list I have compiled helpful articles which provide step by step instruction about how to prevent from WordPress pharma hack attack:

How to Diagnose and Remove the WordPress Pharma Hack

You’ll have to dig through the two places where the hack is known to romp—your WordPress plugins folder and your WordPress database.

WordPress Pharma Hack

This is quite a different attack vector than say brute-forcing passwords on a WordPress site. If you know a little about what you’re doing, this is pretty straight forward. In fact, you can script these things pretty easily; this example was written by a hacker over a weekend.

Pharma Hack Fix for WordPress

It is a brilliant plan.  If it weren’t so illegal – it would be perfect.  As far as I can tell, they employee a 3 stage process.  (Thanks for the help figuring this all out from my friend David, who is a super knowledgeable dude with this sort of stuff.)

How To Completely Clean Your Hacked WordPress Installation

Step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

How to find a backdoor in a hacked WordPress

What’s a backdoor? Well, when somebody gets into your site, the very first thing that happens is that a backdoor is uploaded and installed. These are designed to allow the hacker to regain access after you find and remove him. Done craftily, these backdoors will often survive an upgrade as well, meaning that you stay vulnerable forever until you search for and clean the site up.

WordPress Security Tips You Most Likely Don’t Follow

A list of the top 5 tips that most WordPress administrators do not do, but should:

How to increase the safety of WordPress

In this article, we will see a series of technical and not that improve the security of WordPress in a shared and dedicated, by changing some settings and adding the appropriate plugin.

Wrap up

Hopefully, you will understand the full meaning of pharma hack and learned how to prevent your websites from these kinds of hacks. If you still have any questions, please let me know in the comments section below.

Noor Mustafa Raza

Noor Mustafa Raza

I am a WordPress Developer and Designer, author @WPArena. I am providing Free WordPress consultation and can help you to install WordPress in a secure way to small businesses and bloggers.

Join the Conversation

1 Comment

  1. Indeed getting link juice no matter what is one of the main reasons high PR websites are hacked. I just hope by now most websites owners will stop thinking just because their websites are tucked somewhere invisible to the naked eye, those websites are secure enough. As always, once you have something of great value, the bad guys are just around the corner. Security should be baked in any WordPress website setup, not an afterthought. The sooner you harden your website’s security the better but it’s not a set it and forget it matter either.

Leave a comment

Your email address will not be published. Required fields are marked *