Due to the open nature of wordpress platform, it is often a target for hackers. This article will explain a common hack (attack) on your wordpress websites and how to fix and prevent it :). I will be describing how to go about “Fixing WordPress Pharma Hack”

I got contacted by my client who complained that when she googles her website advertisements of drugs with mentions of “Viagra” and “Cialis” show up. She has an ECommerce website for Modern Shoes. It does not make any sense.

I had a good idea that her site has been compromised. It is pretty challenging to figure out what happened and how. After extensive research on “Fixing WordPress Pharma Hack” I came up with a solution.

Special thanks to the post by “Sucuri”. It really explains it and how to fix it in a very professional way. I highly recommend reading the post. I will explain how I found the issue and How I fixed it with my particular scenario.

Pharma Hack

As like with most other things I will be explaining “Fixing WordPress Pharma Hack” in FAQ style. I like that 🙂

What is a WordPress Pharma Hack ?

It is a combination of some malicious code that usually resides in some infected files on your hosting account. Data that gets displayed on your site or visible to Google bot seens bad data and some links to buy drugs online actually resides in the WordPress database.

Where do I find the malicious files ?

The usual suspect is the “plugins directory”. Hackers for this particular attack like to hide their infected scripts inside of some active plugin folder as php files. Look for “odd” file names like. “Uploads” directory is also a common place for these. As Sucuri points out some examples are:

wp-content/uploads/.*php (random PHP name file)
wp-includes/images/smilies/icon_smile_old.php.xl
wp-includes/wp-db-class.php
wp-includes/images/wp-img.php

Note: You should scan all your php files and look to know actually the code is

[  Update: I got contacted by another client with affected website and I found that deactivating the “Askimet” plugin resolved the issue. What this means is the malicious code resided in some sub-directory located under the “Askimet” Plugin. I recommend that you remove any plugins that you do not use and delete them from your WordPress installation. It might not resolved the WordPress pharma hack but it can only help your website in terms of speed and efficiency. Many of these get installed by the Hosting Provider Installers and dont buy you anything necessarily. So a quick lesson learned in Fixing WordPress Pharma Hack is to “Deactivate all plugins”, log out, reload the website and see if the problem content is there or not.  ]

How to find the data in the database ?

The target is “wp_options” table in the mysql wordpress database. Look for “phpMyadmin” under your hosting account applications and log in. The credentials to log in should be mentioned in the “wp_config” file in the root of wordpress install. Search the “option_value” for the text that shows up. Also try a word and spell it backwards. This is a very common practice by hackers. For example, try “argaiv”.
Fixing WordPress Pharma Hack requires that you delete this option or any malicious option value that you find. Removing malicious data does not mean that you have removed the backdoor.

Note: Make sure your database is backed up before you tinker with it.

What do I do to prevent hacks in my WordPress Site ?

HARDEN YOUR WORDPRESS SITE !!!!
Some resources and important links on how to harden it are below:

Hardening_WordPress

If you are attacked and need professional help, Contact us Today and we will provide professional assistance at the most affordable rate there is. No FIX No CHARGE !!