There is nothing more frustrating than finding out that your website is hacked. The important thing is to stay calm. We know how to resolve a pharma hack attack and we can show you how to do it for your WordPress website.

That said, manually removing the WordPress Pharma hack is a complicated and time-consuming process. We recommend using a malware removal plugin that’ll clean your website in a jiffy. 

In this article, you’ll learn not just how to fix the WordPress Viagra hack on your website but also how exactly was your site hacked and what do the hackers want from you. 

TL;DR: To quickly remove the pharma hack in WordPress, you need to install a security plugin like MalCare. It’s the only security plugin that cleans websites within minutes. All you need to do is click a button.

What is a pharma hack?

Pharma hack, also known as Google Viagra hack, is a type of SEO spam attack, where a legitimate website is used to sell illicit drugs. In this type of attack, hackers hijack websites, injects site with malware like favicon.ico virus etc; and uses site to sell illicit drugs like Viagra, Cialis, and Levitra.

Selling these drugs (especially without a prescription) is illegal. That’s why hackers use your websites like parasites, to feed off your resources to sell illegal drugs.

No, selling illegal drugs is a highly profitable and competitive business. Sellers are always looking to boost their website ranking via SEO tactics like building links from good websites. Your website happens to be one good website.

Unfortunately, Google will blacklist your website if they find spam links where you are linking to malicious sites selling illegal pharmaceutical drugs. And that’s just one of the many terrible consequences of the conditional pharma hack. 

Learn more about the impact of pharma hack.

How to detect WordPress Pharma Hack? 

Chances are, you found an issue with your website, and a little bit of Googling got you looking for pharma hacks. 

Often with such hacks, when you visit the website directly, everything will be normal. It’s highly likely that one of your customers pointed out that your site has some weird pop-ups that redirect to illegal drugs for no reason at all.

Another reason to be suspicious is if you see your site ranking for very weird keywords that have absolutely nothing to do with your industry. If that

Here are some good ways to check if you are indeed a victim of a pharma hack: 

• Google for your website + terms of banned drugs such as viagra or cialis
• Google for your website and visit your own site. If you get redirected to another site, you are infected by redirect hack, a form of WordPress pharma hack
• Sometimes these will only show up when you visit from a phone
• Inside Google Search Console
• Use fetch as Google
• Use a malware scanner

Of all these methods, using a malware scanner is by far the most practical and effective. We highly recommend that you do a server-level scan of your website for hidden malware.

But not all malware scanners are built equal. It’s quite likely that you already have a malware scanner installed on your website and the pharma hack still went undetected.

The reason behind this is quite simple – most malware scanners aren’t equipped to find malicious code. Instead, they look up signatures of popular malware on their database. A slight change in the malicious code can cause the malware to go completely undetected.

So, what can you do? 

Sign up for MalCare. MalCare operates on an AI that grows smarter from each hack it encounters. This means that MalCare sniffs out malicious code even if it’s completely unknown and then it prevents that hack across 250,000+ websites that it protects.

How to fix a pharma hack? 

There are 2 ways to fix WordPress Viagra hack:

1. Using a plugin (the easy way)
2. Scanning manually (the hard way)

Plugins are designed to make your life easier. But you’re welcome to try the hard way, if you like.  

1) Scan and clean conditional pharma hack using a plugin 

We recommend using MalCare to remove malware from your website.

MalCare scanner is designed to root out the most elusive hacks, and will succeed in discovering a hack where other security plugins will most likely fail.

The first scan takes a few minutes. The plugin is equipped with deep scanning technology which looks into every nook and corner of your website to find hidden and complex malware. 

Just sign up and MalCare will start scanning your website for malicious files instantly.

Next, you will need to clean your website. 

Removing malware with MalCare is the easiest way of cleaning a website. All you need to do is click a button – Autoclean.  

And that’s it. Your site will be malware-free in under 60 seconds.

Go on, try Autoclean. You can do so much more with the time and energy you save.

2) Scan and clean Google Viagra hack manually

Unlike a plugin, manual scanning is neither straightforward nor quick. 

We highly recommend that you avoid scanning manually, especially if you have no idea about WordPress, PHP, HTML, and Javascript. Just remember, this hack is hard for professionals to find. 

Even if you are a skilled developer, comfortable with the idea of rummaging around WordPress files and folders, it takes a long time to find pharma hacks. Unless you are willing to spend days, if not weeks, minutely examining each line of code on your website, avoid scanning manually. 

Whichever route you choose, remember to backup your website. Do not skip this step. No matter how skilled you are, WordPress websites are prone to crashing if you make a single mistake. For instance, installing an incorrect plugin version can cause your website to go into cardiac arrest. And it is just as much fun to experience. 

To find WordPress pharma hack, follow the steps below: 

Step 1: Download .php files

Pharma hacks are commonly found in .php files like: 

• index.php 
• footer.php 
• header.php

Here’s how to download them:

• Open your web host account and go to cPanel > File Manager > public_html > index.php. Right-click on the file and select Download.

• Go to cPanel > File Manager > public_html > Themes. Open the theme which is active on your site. Right-click on header.php and select the Download option. 

• Find the footer.php file in the same folder. Right-click and Download.

Step 2: Download the original copy of the .php files

The index.php file is part of the WordPress core files. You can get a copy from here. Just ensure that it’s the same version that is installed on your website. 

The footer.php and header.php files are part of your WordPress theme. 

If you have a free WordPress theme installed. You can download a copy from wordpress.org.

Paid theme users need to get a copy of their theme from the same marketplace where they purchased the theme.  

Step 3: Run a Diffchecker 

Next, open this URL, then upload both versions of each file manually to and run the diff check. 

If you find scripts that are not part of the original files, they are probably part of the hack. But we don’t recommend removing any code unless you’re absolutely sure that it’s malicious. 

In many cases, there are different versions of the WordPress core files for different languages. In other instances, free and pro versions of a plugin or a theme can have the same folder structure, but with vastly different code.

Some common functions found in malicious scripts are: 

• eval
• base64_decode
• gzinflate
• preg_replace
• str_rot13
• exec 
• system 
• assert 
• stripslashes 
• move_uploaded_file

The functions are not malicious by default. Many plugins use them for legitimate reasons. Moreover, the checker will take a while to produce the differences and the results are not always 100% correct.

Please be aware that diff checker is not a replacement for a malware scanner. What you are looking to do is identify hack scripts, through the process of elimination. It is certainly not the most efficient nor accurate means to do so, and comes with its share of associated risks.

So, if you remove snippets of codes based on the results of the diff checker, you could end up wrecking your website.

That said, if you’re extremely confident about the code being malicious, removing these snippets should remove the malware from your site.

A manual scan is not a reliable way of cleaning a hacked website. We recommend installing MalCare which will get the job done within minutes.

With that we have come to the end of WordPress pharma hack fix. But before you move on, we highly recommend that you look at the next section. 

Post-fixing measures

WordPress pharma hacks are often caused due to vulnerabilities in plugins and themes. If you don’t remove them, the hack will return for sure. Here’s what you need to do:

• Update your plugins and themes immediately
• Remove all nulled plugins and themes installed, even inactive ones
• Delete inactive plugins and themes even if they are not nulled 

Hackers tend to create rogue admins accounts to access your website after you have cleaned it. Find rogue admin accounts on your website and delete them.

These are only a few small security measures. For more comprehensive and enduring measures, we recommend reading our article on WordPress hardening. 

How to prevent the WordPress Pharma Hack in the future? 

Cleaning a hacked website once is hard enough. You need to be absolutely sure that you aren’t hacked again. 

The first step is to install a security plugin. Scanning is just the diagnostic phase, removal and prevention forms the crux of WordPress security. 

MalCare comes equipped with a firewall. No one can access your website without encountering the firewall. It can prevent a whole host of attacks such as:

• Brute force attacks.
• XML-RPC attacks.
• DDoS attacks.

Of course, a firewall won’t protect your site against every threat under the sun.

You should most definitely have a strong password at the very least.

MalCare will scan your website regularly. It’ll even check your plugins and themes for vulnerabilities. 

Learn more about MalCare’s best-in-class security features, and rest assured your website is in great hands. 

Impact of WordPress Viagra hack on your website

The consequences of a hack are ugly. You will experience some major backlash on your WordPress website such as: 

• A marked drop in search engine rankings for the keywords you’re targeting; 
• High bounce rates as visitors are redirected to different websites;
• Wasted SEO efforts in the future;
• Google blacklist warnings on your website like, this site may be hacked, deceptive site ahead etc;
• Web host suspensions;
• Email providers blacklisting your website;
• High cleanup, recovery, and damage control costs;
• A major decline in your brand’s image and reputation.

This is depressing.

Honestly, this can cripple your business in the long run and can cause significant short-term financial losses. The only way to get out from under this mess is to take security seriously.

If you’re sure that your website has been hacked, stop wasting time, and take action right now.

Final thoughts 

Now that you have cleaned your website, take some time to set up your security measures to prevent future hack attacks. 

After that, you can go back to growing your business. 

If you have any questions, shoot us an email. Our support team will get back to you in no time. 

FAQ