Themergency
hacked

Diagnose, Fix and Prevent WordPress Pharma Hack

April 14, 2011 by marc | 7 Comments

It Sucks To Be Hacked!

Last week, I noticed that the traffic on one of my sites was considerabily down. Putting it down to my not posting enough, I left it for a few days, but then I noticed that it sank even further. After a little bit of digging and self googling, I noticed that all the titles in my search rankings on Google were completely poked. Suddenly, according to Google, I was selling dodgy pharmaceuticals! I then realised that I had fallen victim to the infamous WordPress Pharma Hack!

Diagnosis

The easiest way to determine if your site is infected is to Google it. As you can see in the image above, do a search for site:YOUR-DOMAIN.com e.g. site:themergency.com. If you see anything dodgy, then sorry, but you have been hacked. Another good check to see if your site is “infected” with this hack, is to goto http://www.submitexpress.com/analyzer/. Enter in your site’s URL and see if any weird pharmaceutical related keywords popup.

What The Pharma Hack Does

How the hacker actually gets access to your sites’s file system is a mystery to me. However, they then place rogue files on the server (usually within and around your plugin files). These rogue files write DB entries to the WordPress options table, which in turn, cause your post titles to include info about dodgy pharmaceuticals. The rogue files usually contain obfuscated code, so you cannot see what it is doing. However the guys at securi.net have decoded one such file and posted it for us all to check out. So no visible damage is actually done to your site, as everything looks normal to your visitors and to yourself. But it really messes with your SEO, and I can tell you from experience, that your site’s traffic drops dramatically.

Fixing The Hack

The WordPress codex has some helpful documentation on what to do when your blog gets hacked. I recommend you read that first. I also came across some really helpful articles, some of which, had step by step instructions on how to sort out the issue. You will need a bit of knowledge about WordPress, and access to your DB obviously. Here they are:

Preventing The Pharma Hack in 3 Steps

After you have found the root cause and removed it, it’s time to tighten up so it doesn’t happen again. Here is a simple 3 step guide to prevent your site from falling victim:

  1. Harden your blog the f#%k up!
  2. Set permissions of all files to 644 and folders to 755.
  3. Install plugins to alert you (see below).

I installed a couple of plugins, some of which monitor my WordPress files and alert me of any changes, and others that scan my blog for any security holes. Some plugins to check out are:

  • WordPress File Monitor - Monitor files under your WordPress installation for changes. When a change occurs, be notified via email.
  • WP-MalWatch - WP-MalWatch is a WordPress security plugin that performs a nightly scan of your WordPress blog looking for evidence of malware.
  • TAC (Theme Authenticity Checker) - Scan all of your theme files for potentially malicious or unwanted code.
  • Audit Trail - Audit Trail is a plugin to keep track of what is going on inside your blog by monitoring administration functions. It does this by recording certain actions (such as who logged in and when) and storing this information in the form of a log.
  • WP Secure - WordPress Security Plugin – Perform over 23 Basic Security Activities for your blog and get a free malware scan at the same time!

Time to Recover

Once you have done all the above, and completely removed the hack, you need to get Google to re-crawl your site. You can do this easily enough using Google Webmaster Tools. My hacked site is slowly but surely coming right again, but I can honestly say, this has caused more damage than good :( Prevention is definitely the best option here!

Backup, Backup, Backup

Please backup regularly, so that if you get hit by this hack, then it is a breeze to restore to a healthy version of your site. I came across a really cool plugin the other day called BackWPup, which allows you to backup the entire contents of your WordPress install, including the database. It also allows you to backup to Dropbox, which is really handy! There are plenty of plugins out there to do WordPress backups, so take your pick.

Finally

If you need a hand cleaning out the Pharma hack from your site, or you have managed to get rid of it, please leave a comment below, so we can all learn from this, and hopefully prevent attacks like this in future.

Other Links

Post comment as
twitter logo facebook logo
Sort: Newest | Oldest
Pewit 5 pts

We had problems with the Pharma hack and although we thought it had been removed, it kept coming back and affecting our page ranking.

 

However, I found the Anti-Malware Plugin by at GOTMLS.NET which scans for malware AND removes them and the developer, Eli,  is really helpful too.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Hunwa 5 pts

Thank you so much for the suggestion, I am signing up now :)

 

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Hunwa 5 pts

HI there! The process in fixing these problems is beyond me, any suggestions on anyone I can pay to fix them for me?

 

Thanks

 

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
themergency 10 pts moderator

 Hunwa check out http://sucuri.net/ - there is a tool on their site to scan your site for any suspicious activity. You can also pay them to clean your site for you

share
  • spam
  • offensive
  • disagree
  • off topic
 Like

definately ROGUE

thanks Ben, I have updated the post and removed all makeup :)

share
  • spam
  • offensive
  • disagree
  • off topic
 Like

Thanks for posting this, it's very timely as I've been dealing with a site hack for a client for a few days now. This one in particular created code that injected into the functions.php files of themes (if they had them) and seemed to be creating hidden links to theme sites and herpes sites...it's been really fun tracking it down and fixing :)

share
  • spam
  • offensive
  • disagree
  • off topic
 Like