Finding out you have been hacked and your WordPress website now ranks for banned pharmaceutical products can be shocking. Since these kinds of hacks are well hidden, it becomes difficult to detect and clean website infections. However, it’s not impossible – it’s actually easier than you think.
In this article, we’ll show you how these hacks happen, how to get rid of it, and how to make sure it never happens again.
What is a WordPress Pharma Hack?
Hackers use vulnerabilities present on your site to hack it. Once they have access, they can carry out all sorts of malicious activities. A pharma hack is one such activity where they take advantage of your SEO efforts to sell/promote illegal drugs. They target all your ranked pages and then implement black hat SEO techniques to get them to rank for their products. This is why pharma hack are sometimes called SEO spam hacks. It also goes by the name of Google viagra hack since it is a wildly popular drug sold online.
How do they run a pharma hack spam? When a hacker has access to your site, they can change its contents. In a pharma hack, they embed spammy links to nefarious sites, change the title of your pages, and even add new pages. Hackers infect WordPress websites cleverly with minimal disturbance so that their dirty business goes undetected for as long as it possibly can.
Why Are Pharma Hacks Difficult to Detect?
Many a time, hackers do not modify the content immediately after a hack. They often wait for months before defacing your site. They do this by installing backdoors to the site. In fact, we often see that Pharma hacks are coupled with backdoors and other malicious activities. There are three main reasons why these hacks are not easy to discover:
- Hackers usually target only high-ranking pages, ones that receive a lot of traffic, or ones that have high earning potential. The hack won’t be present across the website.
- The hack is not visible to you, the website owner. Nor is it visible to the visitors. It’s only visible to search engines like Google or Bing. When a person searches for those drugs, your website will show up.
- Malicious code is disguised and placed in the plugin folder and WordPress database.
To illustrate what a pharma hack looks like, we typed in “buy viagra, cialis or levitra online.” The websites that show up are not online pharmacies but rather belong to an NGO, an artist, and a hotel.
Now if we were to click on the link, it takes us to a pharma company’s home page, however, if you visit the domain address directly, it will display the original home page.
How to Detect a Pharma Hack?
If you can’t see the hack on your site, how do you know you’ve been hacked? Some key indicators that you’ve been hacked would be if you see a sudden dip in traffic to your site for no apparent reason or you’ve been removed from Google search results altogether. If you’re lucky, a good Samaritan who notices your website is ranking for these drugs might take the time to inform you about it. The next question would be how do I find the source of the Pharma Hack in WordPress sites?
Once you suspect a pharma hack, you can take two routes to detecting where it is located:
- The easy way – Using a security plugin
- The hard way – Manually
We recommend you save yourself the hassle and let a website security plugin do the hard work for you. When there are plugins that will run a malware scan for you free of cost, why waste time trying to find it yourself?
NOTE: Before you proceed to scan and clean your website, we’d recommend you to take a backup. You can check our top 5 WordPress backup plugins to save time as there are plenty of options and selecting a good one may be difficult.
1) Scan for a Pharma Hack using a Plugin
Security plugins take on the tasks of scanning, cleaning and protecting your website. There are plenty of security plugins available, the only main task ahead is to find the best one. To do this, you need to know how they work because not all of them function the same way.
The usual scanning method used by these plugins is called pattern or signature matching. It combs through your site and detects code that is already known to be malicious. But the problem with this is that if the hacker is using a new code or has disguised the code, then the signature method will fail to find it. Furthermore, sometimes there are files that use the same code in a legitimate way. So this results in false positives, while the actual hack goes undetected.
You need a scanner that’s smart enough to analyse the behaviour of the code and check for unusual activity. It needs to be able to carry out a deep scan to check every nook and corner, including hidden malicious files.
MalCare is one such WordPress security plugin that goes beyond signature matching and checks the behaviour of the code. It can identify whether the same patterns of code are legit or malicious. It also scans every single file of your website to make sure a hack is never missed.
Using the MalCare plugin is easy. You can start scanning your site for free by creating an account and installing the plugin on your site. It will then run a full scan to find any pharma hacks. Once complete, you’ll be notified that malware has been detected and you can then remove the WordPress pharma hack from your site.
2) Manual Scan for a Pharma Hack
Now, a manual scan of your Pharma Hacked website is time-consuming and technical. We would not advise tampering with the WordPress files and database on the backend if you have no clue what you’re doing.
If you are tech-savvy, you could attempt a manual scan of your website’s files. But these hacks are a bit tricky to find because hackers infect multiple places and disguise their malicious code. A pharma hack will primarily infect your WordPress plugins folder and your database. The hacked files will contain certain known PHP functions, so you can scan for keywords such as eval() and base64_decode() to find and clean the malware.
Here’s the catch! Hackers encode these functions backwards and store them as strings in the database. Another code is inserted in the plugins folder which is able to pull these strings from the database, rearrange them, and then execute the PHP function.
So trying to figure out the hack yourself may turn out to be unfruitful because they’re well hidden. Identifying and cleaning the hack manually takes a long time and even then it’s next to impossible to be 100% sure you’ve detected every infected file.
How to Clean a WordPress Pharma Hack?
Here as well, you can choose a manual cleanup or use a security plugin. However, as we just explained how difficult it is to detect a hack, opting for a manual cleanup is just not good enough to be 100% sure you’re rid of it. There are three things you need to do:
- Clean the WordPress spam hack
- Identify the backdoor they used and get rid of it
- Find what’s causing the vulnerability in your site and fix it
To do this right and be completely hack-free, it’s best to use a plugin. Most WordPress security plugins require you to contact the support team and request for a clean up. The biggest problem with this is that you have to wait till they respond and get someone working on your site. The longer you wait, the bigger your problems get. If you have malware active on your site, you risk being suspended by your web host and even blacklisted by Google.
If you want to clean your site promptly, MalCare offers an ‘Auto Clean’ option which allows you to initiate the malware removal on your own. All it takes is a few minutes to remove malicious SEO spam and any backdoors present will be removed.Removing pharma hack fixes the problem at hand but it does not guarantee that you won’t be hacked again! 😬 Click To Tweet
How to prevent future pharma hacks?
While cleaning up the pharma hack fixes the problem at hand, it doesn’t guarantee that you won’t be hacked again. To prevent a hack from happening again, you need to understand why it happened in the first place. In the WordPress realm, websites are dependent on multiple elements – the core, plugins and themes. Hacks can happen for a number of reasons such as running on outdated software, using weak credentials, or installing free pirated software. Here are 5 key measures you must implement to keep your WordPress site protected:
1) Never use cracked versions of themes and plugins
While they may be free, these themes/plugins usually carry pre-installed malware and backdoors. By installing them on your site, you’re opening the door and inviting hackers in.
Always use trusted themes and plugins. You can find these in the WordPress repository. Check to see if it’s being updated regularly. This will indicate if the developer is keeping the software secure and up to date.
Also, delete inactive WordPress themes and plugins. Make sure you don’t have any unnecessary elements on your site. This is good for your website performance as well as security.
2) Keep your site updated
The WordPress core, themes and plugins receive updates regularly to add new features, fix bugs and patch up security flaws. When a security patch is released, it is made known to the public. So hackers are aware of which software has a vulnerability. They target the sites that are running on that particular version and can hack it easily.
By keeping your site updated, the risk of being hacked is nullified. Now we know when you have too many themes and plugins, updates can be a lot to handle on a regular basis. Check out this guide to safely updating your WordPress site. Another viable option is to get a WordPress Management Service to handle it for you.
3) Get a reliable hosting provider
It’s not very common but there are hosting providers that may not have ample security measures in place. Even among the ones that do, there have been instances where well-known hosting providers were hacked.
Before you choose a hosting service, make sure it is one that is trusted and consistent in keeping up with industry standards of quality and service. If you are currently on a host you do not trust, it may be time to migrate your site to a more reliable host.
4) Use strong credentials
If you use usernames like ‘admin’ and common passwords like your pet’s name or date of birth, it’s easy for hackers to figure out the combination using a method called brute force attacks. The chances of this are amplified when you have multiple people working on a website.
It’s recommended to use a combination of a phrase along with numerals and symbols. You also need to limit the number of people with admin controls. Only those who absolutely require admin controls should be granted access. The rest can be given permissions to be editor, author, contributor or subscriber. This way if hackers access their profiles, they will be limited in what they can do on your site.
5) Install a security plugin
A security plugin can drastically reduce the chances of ever getting hacked. It acts like a wall of defense against any form of malware. You need a plugin that will actively scan your site and clean it up if malware is ever found.
You’ll be alerted if there are any suspicious logins, it protects you from brute force attacks, and preemptively blocks malicious IPs from accessing your site. Be free from not just pharma hacks but any form of malware.
For a website owner, there can be nothing more harrowing than falling victim to a pharma hack. We hope the article helps you clean your site and enables you to protect it from future attacks.
No need to wait for hours & days to clean a pharma hack