It’s never easy to face a situation of your website being hacked. WordPress pharma hacks are especially difficult and dangerous, if not dealt with properly. Therefore, manual removal of the hack – if you choose to bypass a malware removal plugin – is an even more complicated process that takes up a lot of time and resources, with no guarantee of achieving the desired results.
What are pharma hacks?
These kinds of hacks are very similar to SEO spam situations, where legitimate websites are used as a cover for selling something illegal. Hackers find loopholes to breach into the site and inject them with malware which makes it easier to modify the content of the site viewed by visitors, using it instead to sell duplicate versions of branded goods or illegal drugs. Their main purpose by hacking such sites is to increase the SEO traffic and the website ranking, which requires legitimate consumers to visit these links – something that can be gained from trustworthy websites.
The worst impact on your site, apart from the illegitimate activity that’s happening on your site, is that once search engines like Google detect the presence of malicious content on your site, they will immediately blacklist you. Removing this blacklist feature is an even more painful task, making it all the more difficult.
An example of an actual pharma hack
Here’s a pharma hack case that actually happened, to give an insight into how clever hackers are making sure that it will not be a simple process of deleting it once for permanent removal.
Once it was identified that the site was affected, the next step was to find out where the problem is originating from – which was simple in this case. A specific file was identified named ‘wp-page.php’ which took up the role of injecting the pharma spam redirect page, or the doorway to the malicious content, at the root of the site which targeted users coming through results on search engines. On Google, the search engine results page (SERP) showed links to illegal medications.
However, once the file was deleted via terminal or using an FTP client when security experts rechecked to see if the hack was still present, it was! All search engine results showed the same results despite the deletion.
Now, one conclusion could be that the page was cached since that would display the same results on the Google Search page. On checking the headers, we are required to cancel this conclusion as it showed that it wasn’t cached. Any time the file was deleted, it reappeared again.
The user’s crontab also showed nothing suspicious, so this wasn’t a case of cron jobs being used for infecting sites over and over again.
Now, the experts were required to go through the entire file line by line to find out what exactly went wrong. This search ended up on a page named ‘nav.php’, found under the active theme directory of the site. They were able to identify this issue as the content of the file kept on adding ‘wp-page.php’ to all legitimate site pages simultaneously with the requests made on Google. In fact, this appending wasn’t the only issue – the file was recreated whether it existed at that point of time or not.
Finally, they came to a one-line code ‘<?php include ‘nav.php’;?>’ in the ‘header.php’ file of an active theme. So basically, whenever the theme was loaded by a visitor, it loaded the ‘nav.php’ file and recreated the necessary files for initiating the hack.
Removing the pharma hack
Manual scanning and cleaning is a complicated process for those not well aware of the CMS platform they’re working on, like WordPress, Joomla, Drupal, etc. You need to be comfortable with browsing through files and folders and doing so patiently, examining each line of the code to avoid situations like the one mentioned above.
The first to your decision to manually handle the problem is to ensure that there is a functioning backup for your site that can be reloaded to avoid losing content. All sites have the possibility of crashing in the middle of something important, so this step shouldn’t be skipped.
- Next, you need to download the PHP files
Pharma hacks frequently find a home in files like ‘index.php’, ‘header.php’, etc. In order to download such files, you need to go to your hosting account, under the control panel > file manager > public_html > index.php. Make sure you’ve downloaded the original copies of the files.
- Run a diff check
This is to find out if there any new additions to the files – lookout for malicious code such as ‘eval’, ‘base64_decode’, ‘exec’, ‘assert’, etc. One must be careful while using the diff checker since this doesn’t confirm the script is malicious or not.
There are various steps that follow these, including checking if all updates are done, scanning your site for malware, removing nulled extensions, and deleting rogue admin accounts, among others. Always remember to ask for help from security professionals in case you feel overwhelmed.