The internet hosts some 1.2 billion websites. And a cyber attack takes place in every 39 seconds. Common cyber crimes include pharma hacks, SQL injection, file Inclusion, and arbitrary code execution, brute force attacks, DDoS attacks among others. Pharma hacks are notorious for crippling a website. In this post, we’ll endeavour to understand pharma hacks and how to clean them.

What is a WordPress pharma hack?

There are several drugs (like Viagra, Nexium, Cialis, etc.) that are banned from being promoted or sold on the internet. Drug controlling boards across the world argue that the side effects of the said drugs are detrimental to health. Hence they try to regulate the sales of these drugs. To overcome this hurdle, vendors resort to illegal methods to promote or sell their drugs. They hack high ranking pages of websites and insert ads and spammy links to vendor sites selling banned drugs. They exploit website search engine ranking and discreetly send your visitors to their site. Riding on the back of your reputation, they try to sell the drugs. Needless to say, pharma hack has a devastating effect on your site’s ranking as well as reputation.  

But as harmful as pharma hacks are, detecting them is really tough.

Why are pharma hacks difficult to detect?

It’s hard to spot a pharma hack because the hack is not visible on the website. In fact, even scanning the HTML source code may not reveal the hack. The Pharma hack is only visible to search engines. When someone runs a search query ‘viagra’ on Google, your website may appear on the search engine if it’s a victim of pharma hack. The title, as well as the meta description of your site, would display the names of the banned drugs.

Take a look at the image below. Against the search query “order amoxicillin online no prescription needed,” a set of websites come up (like blog.raileurope.com and creativecities.org.uk) that are not associated with the query.

Order Amoxicilin Online No Prescription Needed Google Search and Query Results

Pharma hack is hard to identify even when you go about looking for the hacked files. One seemingly easy way of identifying the hack files is to search for unknown files in the Upload, Plugins or Themes folders (a common place to hide a hack). However, it is not a fool-proof way. Hackers are smart these days. Common trick hackers often pull is changing the name of the file to make it look legitimate. For instance, suppose you are using the Akismet plugin on your site. Hackers may rename the hacked file to “akismet.gif” to make it look like it’s part of the plugin. This would cause the user to overlook it, thereby it goes undetected.

Effects of pharma hacks on the website?

Pharma hacks have several adverse effects on your WordPress website.

For one, it messes up the SEO. You start ranking for keywords you don’t want to rank for. And your ranking for the ones that matter goes down. You lose your target audience because your ranked pages are targeting a different audience! Anyone who understands  SEO knows how much time and effort it takes to rank your website on the search engines. All the effort and time invested in getting your website to rank well on search engines goes down the drain because of pharma hacks.,

Now that you understand the ramifications of a pharma hack, let’s understand how pharma hacks are executed. A Pharma hack is carried out using Black Hat SEO techniques. In this technique, the hacker exploits a vulnerability in your website to break into your website. It messes up the SEO that enables you to rank your website on search engines like Google, or Bing. Good SEO practices involve writing good content – content that is useful to the reader, one that addresses his pain points.. And bad SEO practices are like cheat sheets, used only to rank and draw traffic. And as is obvious, Pharma hacking is associated with bad SEO spam practices.

When search engines like Google find out that your website is following bad SEO practices ranking illegal drugs, they suspend your site.

Now that you know what devastating effects a pharma hack can have on your website let’s discuss how to clean them.

How to clean a WordPress pharma hack?

There are two ways of cleaning a pharma hack: manually and using automated tool/service. Let’s take a look at both the methods.

Cleaning WordPress pharma hack manually:

NOTE: For manual cleaning, you will have to access File Manager and the Database. Not just that, you would need to delete certain files as well. This is a risky business. We suggest that if you don’t have experience handling the File Manager and the Database, skip manual cleaning and go for cleaning with automated tools and services. And even if you do have experience with WordPress Database and File Manager, we’d suggest you take backups before making any modifications in them.  

Manually cleaning a pharma hack in WordPress involves two steps:

  1. Remove malicious files from the plugin directory
  2. Remove malicious entries from the database

Let’s get started:

1. Remove malicious files from the plugin directory

Here we’ll do two things. Firstly we’ll find the malicious files and then delete them.

To find the malicious files, log in to your web host and from the cPanel select File Manager.

file manager in web host

The File Manager will open, and it’ll look like this (see image below):

WordPress file manager options

On the left side of the File Manager, there’s a dropdown menu. From the menu choose the folder public_html.

As soon as you select the folder, it will expand and you’ll see three more subfolders named wp-admin, wp-content, and wp-includes.

WordPress public html

Now, select wp-content. It’ll expand, and a few more subfolders will appear. You’ll notice a subfolder called Plugin. In this folder, you’ll find all your WordPress plugins that are installed on your website.

plugin subfolder in file manager

Check each and every WordPress plugin folder for any unknown or strange folders. The reason we selected the Plugin folder is that hackers often store hacked files in this specific folder. The Plugin folder is writable which means hackers can upload files into them.

To identify the malicious files, you’ll first have to learn what files a specific plugin has. Then match those files with the one present on your plugin folder. If you find that the plugin folder has files that shouldn’t be there, then it’s likely that the file is malicious, the result of pharma hack.

NOTE: Make sure that your viewing options are set to Show Hidden Files. If not then go back to the cPanel, and click on File Manager. A popup will appear where you’ll have to select ‘Show Hidden Files.’

file manager show hidden files option

When you do find malicious files, remove them. Right-Click and then select Delete.

After deleting the malicious files, you’ll also need to delete the corresponding database entries.

2. Remove malicious entries from the database

Log in to your web host and from the cPanel select phpMyAdmin. The Database will open, and it’ll look like this (see image below):

WordPress database table preview

In the database, select the wp_options table. It will allow you to browse through the table content. In the table, you’ll need to search for the following database entries and delete them:

class_generic_support

wp_check_hash

ftp_credentials

widget_generic_support

fwp

rss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language)

And that’s it. And that’s it. That’s how you remove the WordPress pharma hack. Your website is now hack-free.

Cleaning WordPress pharma hack using an automated tool or service:

Manual cleaning requires you to have a basic understanding of the files and database of a WordPress site. And even then, modifying files and database is risky and we’d suggest that a well-experienced developer is involved in the process.

For someone without any technical knowledge, auto cleaning or employing a service to clean your site is a safer option. Let’s take a good look at the options. In the end, you can make up your mind on what kind of service you’ll choose to clean your site.

One-Click Automated Cleaning:

Generally, cleaning of hacked sites is handled by security personnel. You buy a plan, raise a ticket, give access to the security personnel and wait for him/her to clean the website malware. A major problem with this is that a delay, as we spoke earlier, could cause site suspension and could get you blacklisted by Google. But what if you could clean the website on your own as soon as you are informed of the hack. To fast-track the cleaning process, MalCare Security Service has come up with an automated cleaning service. All you need to do is click a button, and within a few minutes, your website is clean.

When you are using an automated tool like MalCare, there is no need to share your SFTP details with an outsider. Moreover, it’s not a one-time payment, one-time cleanup service. Hence, you can clean your site over and over again without any having to pay anything extra. 

One-Time Cleanup Service:

There are several WordPress security services (like Wordfence Security Services) that offer a one-time cleanup service. You pay a one-time fee, and their security personnel does a clean up of your hacked website.

However, there are two problems associated with one-time malware cleanups. Firstly, if your site gets infected again, you’ll end up paying again. If your site is being hacked over and over, then shelling out money for one-time clean up will become expensive. And secondly, the turnaround time for these one-time cleanups are long. Delaying the cleanup process could have disastrous impacts – search engines may blacklist your site and web hosts may suspend them!

Different Levels of Cleanups Services:

Some website security services like Sucuri offer different plans for cleaning hacked websites. And the turnaround time depends on the plan that you buy. If you want to clean your website fast, then buy the expensive emergency plan. With Sucuri, depending on the plan you choose, you can expect your website to be malware free within 30 minutes to 12 hours. A security person will need to access your website and require your SFTP details.

If your website is getting malware infected over and over again, you can opt for Sucuri’s year-long plan. Within a year, no matter how many times your website is hacked, they’ll clean it. If you are facing repeated hacks, then it’s better to opt for this plan than go for one-time cleanups.

That said if your site is being hacked over and over again, cleaning it repeatedly is not a solution. You’ll have to prevent repeated hacks.

How to prevent pharma hacks in the future?

Fix the vulnerability:

Outdated plugin and themes are a leading cause for hacked websites. Like any other software, plugins and themes develop vulnerabilities over time. When this happens, the makers of the theme/plugin quickly release an update to patch the vulnerability. In WordPress, there is no default setting to automate updates. Hence updating the plugins and themes are left to users. When users fail to update their plugins and themes, the hacker takes advantage of such carelessness and hack into the site.

Right after you clean your website, make sure you update all your WordPress themes and plugins. Learn more on why updates are important and how to automate updates.

update oudated plugins

After hacking into any website, the hacker would generally leave behind a hidden backdoor inside the website. Through this backdoor, they can access the site even when the vulnerability is taken care of. But a good cleanup service or tool would remove hidden backdoors.

Harden your website:

WordPress recommends you take steps to harden your website against future hack attempts. To harden a website you need to implement the following actions:

  • Change all passwords which include WordPress user and database passwords as well as FTP accounts.
  • Change WordPress secret key which will invalidate current sessions and force users to log in again. This way, if hackers are logged in, they’ll be instantly logged out.
  • Limit user privilege. The admin has complete control over the entire website. Don’t make everyone an admin. Assign user roles based on how much you can trust the person and what functions s/he wants to perform.
  • Change permission of files and folders. It’s a good practice to make them read-only unless you require to modify them. Making the files reads only will stop hackers from uploading files in certain folders.

For an advanced user implementing this site, hardening measures would be easy. But for beginners, it’ll be more convenient if they were using services like MalCare, that allows users to harden their site with the click of a button.

Use a security plugin:

“Some of us in security are seeing content injections like a unique pharma spam link or content injection malicious code on each post and page. I’ll encourage users to add a strong firewall with your security plugin. Most of the great ones do cost, but the investment is worth it.” – Nile Flores, WordPress Designer & Developer

The primary objective of a security plugin is to protect a website from hack attempts. These will scan your site daily, remove website infection, enable the website firewall, harden the security, and provide you support in times of crisis. There are many security plugins out there. With the overwhelming number of choices involved, it is really no wonder that people end up without any security plugins in times of crisis. To make it easy for you we’ve compared the top WordPress security plugins. You might want to take a look at it.

That brings us to the end of this pharma hack removal guide.

Conclusion

For a website owner, there can be nothing more harrowing than falling victim to a pharma hack. We hope the article helps you clean your site and enables you to protect it from future attacks.

 

No need to wait for hours & days to clean a pharma hack

Clean Site Right Away!


Tweet