The Pharma Hack is quite a subtle, clever hack which seems to affect WordPress and other CMS websites. The hackers gain access to your database through an old or compromised plugin or theme. They are then able to plant lines of code within your database, which redirects visitors to illegal pharmaceutical websites.
As you can see below, when searching for pages within your website, the Pharma Hack will hijack your page, redirect people to bad pages… and search engines will update their records to reflect this. But when navigating around your website normally, you may not notice this redirect – only when clicking through from a search engine, which makes it hard to detect.
One of my jobs is to manage the websites for a medical / cosmetic laser manufacturer – and they were infected by the Pharma Hack… which prompted me to find out about it, and hence write this post.
If you Google the words “Pharma Hack” you will find a few useful articles with information & tips on how to identify it & how to fix it. This is just an article about my experiences of it & how I dealt with it.
How do you detect a Pharma Hack?
If your site is affected by the Pharma Hack, you may be oblivious to it, until it’s too late. When you are navigating around your website, everything seems normal, but you may find that when you click through to certain pages on your website via Google, you will be redirected to a dodgy pharmaceutical website.
This makes it quite hard to detect – unless you regularly check Google by searching your complete website… you can do this by Googling: site:www.mysite.com – which will show you all listed pages from your website.
Google will also tell you if there is a possible problem, by including a notice underneath the link, saying “This site may be hacked” – but you still may not personally witness the hack in the first few weeks of being hacked.
What can you do about it?
As with many other WordPress issues, the usual checks need to be made – like disabling all themes & plugins, to hopefully identify the offending code. But, in my experience, the Pharma Hack will probably have already affected your database, which requires a lot of searching (using PHPMyAdmin) & deleting the offending code.
If you are like me, and can’t be bothered to search through hundreds of options etc., and potentially delete something you shouldn’t have, the easiest way is to just create a fresh install of WordPress & create a new clean database.
Simply export your old WordPress content to an XML file, then upload it to the new instance. I guarantee that this is the quickest way. Unless you are a total coding guru!
Can you protect yourself?
The obvious measures you should take are to:
Use a complex username & password – if you are working on a large website that requires various users, insist that all users create complex passwords, then take measures to protect that password.
Avoid using plugins that are unnecessary, and do a bit of research into a plugin if you need to install it. Check if the plugin is actively being updated, check out the developer of each plugin, read the reviews of each plugin, check how many active installs of a plugin are in use.
Do not give people Administrator access unless you know they are responsible – or they understand the importance of security.
Regularly check your website listings on search engines – use Webmaster Tools & Google Analytics – if you see any strange fluctuations, consider the possibility that your visitors are being redirected to a dodgy website.
Consider using a more secure host / server. Several of the websites I manage have been moved to NGINX servers, which give you more control over privileges etc. – this is not an advert for their services, simply some information about what measures I took – with much help from Mr Brox, who I must nod my head to!
There are some clever buggers out there, and no man-made security cannot be broken by cleverness. But you can make it extremely difficult for them by using crazy passwords, & being very careful when installing plugins.
I found this other article very useful: