How to Protect Your WordPress Website from a Pharma Hack

WordPress is the best Content Management System (CMS) platform on the planet and with WordPress Developers can build all kind of websites for their clients.  Being a popular CMS platform, WordPress powered websites are most attractive for hackers. In 2010, Pharma hack was one of the serious threat to WordPress website  . Although WordPress themes like The Thesis Theme team and WordPress core developers are trying to make it more secure, so its the best practice to keep your WordPress powered site always up to date  and use online tools like Sucuri to know more about latest threats and Malware to make it more safe and secure and use .

What is Pharma hack:

If your website look like pharmacy related website instead of helpful Web resource or not displaying your own content on searching of keywords on Google or other search engines, Its mean your website site is effect by WordPress Pharma hack. The users when trying to search your site  with required keyword, the search engine will not display your website, it will display  pharmaceuticals companies related web pages.

According to Pearsonified: who was effect once and written a detail article on WordPress Pharma hack

The WordPress pharma hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spammy links into the page content. Interestingly, the modified title tag and spammy links are only visible to search engines.

hacked search results

The three red arrows highlight <title> tags that were cloaked by the WordPress pharma hack. [Source: WordPress Pharma hack ]

This is the big lose for site owners because they tried enough to get  good traffic but they never know their traffic is not coming from search engines and traffic going down everyday because hackers have put their malicious code in your web pages that replacing your links and Google description by stealing search links.

There are lot of tutorials and articles on Preventing WordPress powered website (wparena’s: how to find remove and protect WordPress site from malware and Identifying removing and preventing malware on your WordPress site), but in today I am simple going to complie a list of useful articles and tutorials along with tips and tricks for diagnoses, fixes and prevention of  WordPress Pharma Hack.

Understanding WordPress Pharma Hack Penetration

There are different ways attackers insert the malicious code into  WordPress file to get control over the database, plugins files even on WordPress core file like adding code in .htaccess file.   According to Sucuri which can provide the best  protection service for your websites and  web servers, there are three parts for WordPress pharma hack to add malicious code:

  •  Backdoor that allows the attackers to insert files and modify the database.
  •  Backdoor inside one (or more) plugins to insert the spam.
  •  Backdoor inside the database used by the plugins.

If you fix one of the three, but forget about the rest, you’ll most likely be reinfected and the spam will continue to be indexed.

As always, we recommend that you update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure, it’s when you’re running old versions, and/or out of date plugins/themes that run into trouble. Keep your stuff up to date, and it will minimize the risk of infection significantly.

[Source: Understanding and Cleaning the Pharma hack on WordPress]

For all other Web page security Golem Technologies. On the other hand, according to Pearsonified, These kind of attacks happened in two parts: There are malicious files in the WordPress plugins folder which contain identifiable PHP functions like  eval() andbase64_decode()but this kind of hack is not exception for such kind of hack. The only difference with Pharma hack inclusion, these functions stored in the WordPress database as strings, and they’re encoded backwards!  which open the backdoor for further run the string from the database. At runtime, a hack file in the plugins folder pulls these strings from the database, flips ‘em, and then runs ‘em as functions, and that’s how the deed gets done.

The hack pings Google Blog Search with queries like this one to see how many links a particular page has, and then it stores the results in the database. At runtime, the hack uses the number of links to determine which pages to target. [Source: WordPress Pharma hack ]

WordPress Pharma Hack Affects

In most (not all) cases the spammy links and/or content is cloaked or hidden from your sites visitors, it is only visible to search engine bots.  When a search engine bot makes a request for a page on your site in addition to the page being requested a search engine bot will identify itself in the user agent field.  Scripting languages such as php and javascript can read this value and determine when the request is coming from a search engine bot.

The form of the pharma hack varies from site to site, it can hit a single page or 1000s of pages, on some sites the hackers add 100s of hidden links to on-line pharmacy sites to the legitimate pages of a site.  On other sites the hackers use a cloaked or conditional hack which returns the spammy content only to a search engine bot.  Another common method is to add a php file to the site that returns the spammy content. The methods for accomplishing a pharma hack also vary from site to site, from some generic methods effective against all sites, to more specific methods that target the sites’ CMS such as WordPress or Joomla. [Source: Spam Hacks, The Pharmacy Hack, The Porn Hack]

According to websitedefender a Pharma Hack typically affects websites in three ways:
1. Results are visible on search engines only
2. Very difficult to eliminate
3. Highest ranked pages are targeted
Detail: Web security – SEO poisoning- pharma hack

Jaspal Sahota given detail WordPress Pharma hacks affacts on .htaccess file with other  vulnerabilities: Iif you know how to read .htaccess file, you’ll see that the planted code only works when the visitor is coming from Google, AOL or Yahoo):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond /home/xyz/public_html/common.php -f
RewriteRule ^.*$ /common.php [L]

Again, the final file (common.php) was planted. [Source: Pharmahack]

Protecting from WordPress Pharma Hack

There is very useful  article on WordPress prevention at FAQ_My_site_was_hacked. On the following list I have compiled a helpful articles which provide setp by step instruction about how to prevent from WordPress pharma hack attack:

How to Diagnose and Remove the WordPress Pharma Hack

You’ll have to dig through the two places where the hack is known to romp—your WordPress plugins folder and your WordPress database.

WordPress Pharma Hack

This is quite a different attack vector than say brute-forcing passwords on a WordPress site. If you know a little about what you’re doing, this is actually pretty straight forward. In fact, you can script these things pretty easily; this example was written by a hacker over a weekend.

Pharma Hack Fix for WordPress

It is really a brilliant plan.  If it weren’t so illegal – it would be perfect.  As far as I can tell, they employee a 3 stage process.  (Thanks for the help figuring this all out from my friend David, who is a super knowledgeable dude with this sort of stuff.)

How To Completely Clean Your Hacked WordPress Installation

Step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

How to find a backdoor in a hacked WordPress

What’s a backdoor? Well, when somebody gets into your site, the very first thing that happens is that a backdoor is uploaded and installed. These are designed to allow the hacker to regain access after you find and remove him. Done craftily, these backdoors will often survive an upgrade as well, meaning that you stay vulnerable forever, until you find and clean the site up.

Top 5 WordPress Security Tips You Most Likely Don’t Follow

A list of the top 5 tips that most WordPress administrators do not do, but should:

How to increase the safety of WordPress

In this article we will see a series of technical and not that improve the safety of WordPress in a shared and dedicated, by changing some settings and adding the appropriate plugin.

Secure WordPress Themes providers:

StudioPress Premium WordPress Themes PageLines CMS WordPress Themes elegant themes MOJO Themes themeforest


5 out of 5 stars based on 236 rating(s).
  • Nur

    I am a WordPress, Website Developer and Designer, creator @ WP Arena, Provide Free WordPress consultation and can help to install WordPress in a secure way to small businesses and bloggers.