How to Find and Fix a WordPress Pharma Hack

Did you know that one quarter of all spam emails are accredited to pharmaceutical ads? Pharma hacks go beyond the inbox and spam websites by redirecting traffic and adding fake keywords and subdomains to the search results.

Why, and how did the medical world get tangled up in spam emails, SEO spam, redirects, and website spam injection?

The answer is – money.

The Ways and Means Committee ( responsible for taxation and budget recommendations) stated in their 2019 report that Americans pay anywhere from 4x to 67x the price as other countries for the same drug. Webmd found that Toronto charged 55% less for an identical prescription across Lake Ontario in Rochester, New York.

The cost of healthcare has driven many Americans to purchase prescription drugs across borders from other countries, or online, despite its illegality. The desire to find affordable medicine has created opportunities for scheisters to take advantage of desperation through low-price offers for popular drugs.

What is a Pharmaceutical Hack?

A pharmaceutical hack is an SEO Spam attack that exploits vulnerable WordPress sites and hijacks your website and injects it with malware like favicon.ico. The hacker creates subdomains, redirects, and keyworks to get their content to rank on search engines and in front of site visitors. Think of the guy from men in black whose body became a vessel for all the alien bugs … that’s your site right now.

What is the Risk?

To you? You can get blocklisted once Google notices that your website has been injected or your hosting provider. This will result in downtime if you get blocklisted, missed traffic and longer lasting effects such as a hit on your site’s SERP, all which ultimately hit the wallet.

To consumers? Purchasing these less expensive drugs is not a sure bet. There is no way to prove (without a lab test) that what you bought online is the real deal. The medicines and drugs purchased over these spam sites are not regulated or quality controlled by any agency. Plus, the repercussions for purchasing one of these offerings can also carry jail time and steep fines depending on what state you live in.

Why You And Your Site?

It’s not personal. If your site is vulnerable from weak passwords or vulnerable components, hackers will find their way in. They take advantage of the weakness and then use your website’s ranking to push their products’ visibility. It uses your legitimate website to promote their content (which would otherwise not rank). Once this is reported and Google catches on, your site can get blocklisted, causing serious financial repercussions to your business.

How To Verify That You Have Been affected by a Pharma Hack

Step 1: Google your site with common pharma spam keywords like xanax or viagra or cialis. See if the keywords appear or if there are subdomains dedicated to pharmaceutical drugs.

When I searched for specific college along with the word viagra, I found this result:

You can see that this website is an educational institution from its .edu web address, and has no business offering xanax online.

Note: If you accidentally click on the link that should take you to the site, you are likely to experience a redirect.

If you are a victim of a pharma hack, you are likely to be redirected to a drug pharmaceutical website. In this case, I was redirected to a site called family-drugs.com.

Other indicators you can look for are spikes and drops in traffic, google warnings on your page like “deceptive site ahead”, or “this site may be hacked.” or even just checking what keywords or pages google is finding on your website through Google’s search console.

Step 2: Do a Site Scan to drill down on what the diagnosis is – it finds “known spam detected”

Clicking on “More Details” confirms the redirect we experienced:

Scroll Down Further to see the complete report.

At this point, you can request help from Sucuri’s security analysts to clean your site, or attempt to drill down further using the free Sucuri Security WordPress Plugin.

Step 3: Run the free Sucuri Security WordPress Plugin. This plugin which will scan your WordPress core files for any abnormalities, changes or modifications so you know exactly where to look to remove backdoors.

Image source: https://wordpress.org/plugins/sucuri-scanner/

Note: Before performing any changes to your files make sure you have a clean backup available to restore from.

Remove Backdoors

Review the list of modified core files the Sucuri plugin returns with. Follow up with the associated users for each change to confirm that they were legitimate changes. Restore the modified core files with original copies out of the WordPress repository.

Look to a back-up prior to the infection to compare differences in the core files. Remove anything that has changed and keep an eye out for these specific php functions:

base64

str_rot13

gzuncompress

eval

exec

system

assert

stripslashes

preg_replace (with /e/)

move_uploaded_file

These functions can also be legitimate so test each removal at a time and make sure to perform a backup between each change.

More thorough details on how best to remove an infection can be found in our comprehensive How To Clean A Hacked WordPress Site Guide.

In Conclusion

The best way to prevent Pharma Hacks from reoccurring is to take the following actions:

Update your site – update every plugin and component on your site. Many updates contain bug fixes that could have been the unlocked door into your site for the SEO spam in the first place.
Put a firewall in place. It will monitor traffic and protect your web server and web applications from attack.
Run daily scans to monitor the health of your site. Hackers often leave more than one backdoor and if you did not clean the site entirely, daily scan keeps you on high alert for attempts at reinfection
Perform an admin audit and remove unnecessary or unfamiliar users. Reset all passwords, and enforce strong password techniques.