I’ve been called in a couple of times recently by clients to fix hacked sites. What makes it worse is that they were victims of a very pernicious attack know as the Pharma Hack.
I want to make you aware of this hack and give you tools to find if you are a victim and how to fix it.
What Is The Pharma Hack
When your site is infected with this hack, you will be inadvertently giving links to Pharma sites selling Viagra and Cialis and other disco drugs. Not the most professional thing for people to see in Google linked to your site.
The hack is a black hat SEO attack, these people are trying to increase links to their site for the keywords viagra, cialis et al.
Your post descriptions in Google will contain references to drugs rather the the real title you set for you post.
Why Is It So Tricky
It cloaks itself from the site owner very carefully, unless you regularly check your site’s index on google you will not see the effect of this hack, to the site owner it looks very much like business as usual.
It searches for your most high ranking pages and only links from them. It selectively decides which pages to infect, why bother with low ranking posts!!
It has many layers and if one is compromised, the others enable the “hack owners ” to re-actiave the scripts on your site. It infects the following layers
- WordPress core files
- Plugins
- Uplaods direcotry
- Databse wp-options table
This is cunning coding, if these people put this type of skill into useful projects they would make a million.
Identifying If You’ve Been Attacked
The quickest way is to run a check on your site to see if you have been infected, is to check on your site’s index in Google. Run the following search in Google:
site:{yourdomain.com} viagra
If you see unusual meta descriptions in Google linked to legitimate blog posts then you have probably been hacked.
What Can You Do?
There is a very detailed fix supplied by Securi.net, but in essence you need t:
- Clean up WordPress
- Clean up your plugins
- Clean up your uploads directory
- Edit your database to remove rogue entries
All of this is pretty technical stuff, you need to understand how WordPress works at a pretty low level to fix this, miss just one infected component and your site will be re-infected.
UPDATE: Dec 2011
I’ve written a follow up post on cleaning up your index in Google after the hack Refreshing The Google Index After Pharma Hack
Need More Help Fixing Your Hacked Site?
I’ve create a WordPress Hack Recovery Course
8 thoughts on “The WordPress Pharma Hack”
Thanks for the head’s up Neil. As always, so appreciate your timely info and updates. If we’re hacked, we’ll contact you!
Hi Neil,
Thank you so much for the info about the Pharma Hackers. I believe you nailed it regarding my site. I would like to know more about how you might help me. Trying to fix this myself is most likely beyond my abilities.
P.S.: I tried to go in and change my password so you could work on my site and I kept getting the fatal error message.
I am very frustrated & slighted by these hackers. My site is so small why would they bother?
I look forward to hearing from you.
Best regards,
denise Hoopes
Great advice Neil. Thanks!
It’s important to remove the brackets from your domain name when doing the search. Otherwise it comes up “nothing found” and you might think your site is ok when it’s not.
Good point scott, for example the search for wpdude.com would be
site:wpdude.com viagra
Neil
As ever you are the WP Master.
thanks for the heads up on this issue. You are right, if those guys would spend half as much doing something creative and worthwhile, they would make a ton of money AND not have to burn a few lifetimes of karma away in SPAMMER HELL!
Michael,
I second & third your comment. I have heard that SPAMMER HELL is constantly expanding to make more room these days, as the no vacancy sign keeps getting in the way of “their” business. Ahh destiny, I’m glad I’m in control of mine. Good Point & Reminder.
Hello there, I discovered your blog through Google although looking for initial help for a coronary heart attack as well as your post
looks very interesting for me.
Good afternoon.
I have my site affected me know if you can help me, until I could not fix the problem.
Please inform me via e-mail instructions and the cost of their service.
Thank you.
Comments are closed.