I’ve been called in a couple of times recently by clients to fix hacked sites. What makes it worse is that they were victims of a very pernicious attack know as the Pharma Hack.
I want to make you aware of this hack and give you tools to find if you are a victim and how to fix it.
What Is The Pharma Hack
When your site is infected with this hack, you will be inadvertently giving links to Pharma sites selling Viagra and Cialis and other disco drugs. Not the most professional thing for people to see in Google linked to your site.
The hack is a black hat SEO attack, these people are trying to increase links to their site for the keywords viagra, cialis et al.
Your post descriptions in Google will contain references to drugs rather the the real title you set for you post.
Why Is It So Tricky
It cloaks itself from the site owner very carefully, unless you regularly check your site’s index on google you will not see the effect of this hack, to the site owner it looks very much like business as usual.
It searches for your most high ranking pages and only links from them. It selectively decides which pages to infect, why bother with low ranking posts!!
It has many layers and if one is compromised, the others enable the “hack owners ” to re-actiave the scripts on your site. It infects the following layers
- WordPress core files
- Plugins
- Uplaods direcotry
- Databse wp-options table
This is cunning coding, if these people put this type of skill into useful projects they would make a million.
Identifying If You’ve Been Attacked
The quickest way is to run a check on your site to see if you have been infected, is to check on your site’s index in Google. Run the following search in Google:
site:{yourdomain.com} viagra
If you see unusual meta descriptions in Google linked to legitimate blog posts then you have probably been hacked.
What Can You Do?
There is a very detailed fix supplied by Securi.net, but in essence you need t:
- Clean up WordPress
- Clean up your plugins
- Clean up your uploads directory
- Edit your database to remove rogue entries
All of this is pretty technical stuff, you need to understand how WordPress works at a pretty low level to fix this, miss just one infected component and your site will be re-infected.
UPDATE: Dec 2011
I’ve written a follow up post on cleaning up your index in Google after the hack Refreshing The Google Index After Pharma Hack
Need More Help Fixing Your Hacked Site?
I’ve create a WordPress Hack Recovery Course