Themergency fooplugins.com
hacked

Diagnose, Fix and Prevent WordPress Pharma Hack

| 18 Comments

It Sucks To Be Hacked!

Last week, I noticed that the traffic on one of my sites was considerabily down. Putting it down to my not posting enough, I left it for a few days, but then I noticed that it sank even further. After a little bit of digging and self googling, I noticed that all the titles in my search rankings on Google were completely poked. Suddenly, according to Google, I was selling dodgy pharmaceuticals! I then realised that I had fallen victim to the infamous WordPress Pharma Hack!

Diagnosis

The easiest way to determine if your site is infected is to Google it. As you can see in the image above, do a search for site:YOUR-DOMAIN.com e.g. site:themergency.com. If you see anything dodgy, then sorry, but you have been hacked. Another good check to see if your site is “infected” with this hack, is to goto http://www.submitexpress.com/analyzer/. Enter in your site’s URL and see if any weird pharmaceutical related keywords popup.

What The Pharma Hack Does

How the hacker actually gets access to your sites’s file system is a mystery to me. However, they then place rogue files on the server (usually within and around your plugin files). These rogue files write DB entries to the WordPress options table, which in turn, cause your post titles to include info about dodgy pharmaceuticals. The rogue files usually contain obfuscated code, so you cannot see what it is doing. However the guys at securi.net have decoded one such file and posted it for us all to check out. So no visible damage is actually done to your site, as everything looks normal to your visitors and to yourself. But it really messes with your SEO, and I can tell you from experience, that your site’s traffic drops dramatically.

Fixing The Hack

The WordPress codex has some helpful documentation on what to do when your blog gets hacked. I recommend you read that first. I also came across some really helpful articles, some of which, had step by step instructions on how to sort out the issue. You will need a bit of knowledge about WordPress, and access to your DB obviously. Here they are:

Preventing The Pharma Hack in 3 Steps

After you have found the root cause and removed it, it’s time to tighten up so it doesn’t happen again. Here is a simple 3 step guide to prevent your site from falling victim:

  1. Harden your blog the f#%k up!
  2. Set permissions of all files to 644 and folders to 755.
  3. Install plugins to alert you (see below).

I installed a couple of plugins, some of which monitor my WordPress files and alert me of any changes, and others that scan my blog for any security holes. Some plugins to check out are:

  • WordPress File Monitor - Monitor files under your WordPress installation for changes. When a change occurs, be notified via email.
  • WP-MalWatch - WP-MalWatch is a WordPress security plugin that performs a nightly scan of your WordPress blog looking for evidence of malware.
  • TAC (Theme Authenticity Checker) - Scan all of your theme files for potentially malicious or unwanted code.
  • Audit Trail - Audit Trail is a plugin to keep track of what is going on inside your blog by monitoring administration functions. It does this by recording certain actions (such as who logged in and when) and storing this information in the form of a log.
  • WP Secure - WordPress Security Plugin – Perform over 23 Basic Security Activities for your blog and get a free malware scan at the same time!

Time to Recover

Once you have done all the above, and completely removed the hack, you need to get Google to re-crawl your site. You can do this easily enough using Google Webmaster Tools. My hacked site is slowly but surely coming right again, but I can honestly say, this has caused more damage than good :( Prevention is definitely the best option here!

Backup, Backup, Backup

Please backup regularly, so that if you get hit by this hack, then it is a breeze to restore to a healthy version of your site. I came across a really cool plugin the other day called BackWPup, which allows you to backup the entire contents of your WordPress install, including the database. It also allows you to backup to Dropbox, which is really handy! There are plenty of plugins out there to do WordPress backups, so take your pick.

Finally

If you need a hand cleaning out the Pharma hack from your site, or you have managed to get rid of it, please leave a comment below, so we can all learn from this, and hopefully prevent attacks like this in future.

Other Links

9 comments
Prevoty
Prevoty

Many of these assaults are the result of hackers injecting malicious code into your comment boxes and form fields. So it's important to secure your WordPress blog and the vulnerable holes in your themes from these content injections.

 

The best way to deal with these attack vectors is to prevent them from happening in the first place. Recognizing this problem, we created a plugin that takes the guesswork out of content security!

 

SmartFilter is a free, cloud-based plugin that acts as a preview layer to sanitize and validate ALL incoming content for you. It doesn't rely on blacklists or past definitions and has the same technology we use to protect large enterprise sites. 

 

Try it out at http://wordpress.org/plugins/smartfilter/ and let us know what you think!

 

Pewit
Pewit

We had problems with the Pharma hack and although we thought it had been removed, it kept coming back and affecting our page ranking.

 

However, I found the Anti-Malware Plugin by at GOTMLS.NET which scans for malware AND removes them and the developer, Eli,  is really helpful too.

Hunwa
Hunwa

Thank you so much for the suggestion, I am signing up now :)

 

Hunwa
Hunwa

HI there! The process in fixing these problems is beyond me, any suggestions on anyone I can pay to fix them for me?

 

Thanks

 

Ben
Ben

Rouge or Rogue?

Adam W. Warner
Adam W. Warner

Thanks for posting this, it's very timely as I've been dealing with a site hack for a client for a few days now. This one in particular created code that injected into the functions.php files of themes (if they had them) and seemed to be creating hidden links to theme sites and herpes sites...it's been really fun tracking it down and fixing :)

themergency
themergency moderator

 @Hunwa check out http://sucuri.net/ - there is a tool on their site to scan your site for any suspicious activity. You can also pay them to clean your site for you

Brad
Brad

definately ROGUE

thanks Ben, I have updated the post and removed all makeup :)

OccultSection
OccultSection

@Adam W. Warner I have checked my function.php code but can't seem to find anything amiss. Do you know which line of code is affected? Thanks!

253davidstevens
253davidstevens

@themergency @Hunwa  sucuri.net's site scan will not help with the Pharma Hack. I have tested it with dozens of sites with the Pharma Hack and it fails to detect it. The reason it does is because it looks toward the site for spammy words instead of looking for spammy words in the links to the site. Fortunately there is an easy way around this. Do a search for "site: yoursite,c0m medication or viagra". You can add as many "or lipitor" or other drug names as you want just to be sure.


This hack is on its way to hack heaven (or hell). It is just a matter of time. It cannot hide and as soon as the right person with the right skills who wants to make life a little more difficult for hackers catches on, it is dead meat.


Now, would someone please tell me why it has survived for 7-8 years?