Pharma Hack: What It Is and How to Fix on WordPress

May 22, 2023 in Cyber Attacks

WordPress attacks can take any form imaginable. Increasingly, these schemes play on consumers' desire for affordable medications. Known as pharma hacks, these breaches can cause widespread damage while also placing unsuspecting consumers at risk.

Awareness is crucial. Many developers and customers have no idea that pharma hacks even exist. As such, they are woefully unprepared. As these attacks become more sophisticated, it is important to understand the scope of the problem and the signs of a typical hack. We've outlined both below, as well as solutions to prevent future attacks.

What Is a Pharma Hack?

As a targeted infection strategy and black hat SEO technique, pharma hacks aim to redirect users from legitimate links to illegitimate websites, where they are then encouraged to purchase illegal medications — without duped consumers realizing, of course, that these purchases are unlawful.

Not only are these exploits problematic from a website security standpoint, they can also prove downright dangerous. These scams may convince or enable users to consume unnecessary and potentially harmful drugs. These products could be problematic even if they were genuine, but unfortunately, there's no guarantee of that — they could be cut with other substances or may be completely different drugs than anticipated.

The modern pharma hack is a subset of a common strategy also used to sell knockoff handbags, watches, and a myriad of other illegitimate products. With pharma-specific hacks, however, the focus is on medications that typically require a prescription. This scheme is sometimes referred to as a Cialis or Viagra hack, as these are two of the drugs most commonly peddled via redirects.

Why Does Pharma Spam Happen?

Pharma spam is often effective simply because of cost concerns. After all, pharmaceutical prices are higher in the US than in many other countries, and insurance coverage can be difficult to obtain. Consumers are happy to seek medications from alternate sources or, at least, are susceptible when they suddenly encounter what appears to be a good deal.

Drawing on these pricing concerns, scammers have found an effective way to target vulnerable consumers — resell medications at lower price points. What these victims often fail to realize, however, is that it is illegal to purchase pharmaceuticals online without a prescription.

How to Detect Pharma Attacks?

Pharma attacks can be surprisingly difficult to detect, even when these hacks aren't particularly sophisticated. In general, however, these attacks follow a clear pattern: manipulate websites or Google search results to make it appear as if users have stumbled upon legitimate pages that sell desired products for exceptionally low prices. Then, when users click these links, they are sent to spammy sites. Unfortunately, a variety of cloaking methods are used to hide these schemes.

Knowing how pharma attacks work may be the first step, but even with such understanding, it can be difficult to spot them in action. These tips should help you detect pharma scams:

Use a Website Malware Scanner

The first and most important strategy for discovering (and quickly mitigating) pharma hacks on your website? Committing to malware scanning. The best malware scanners run continuously and can promptly detect any malicious code that should be addressed.

During a high-level scan, suspicious content is immediately flagged. From there, malware can be swiftly removed and other vulnerabilities addressed to limit the impact of the scam on your hard-earned SEO.

Check Pharmaceutical Keywords in Search Results

Ordinary web searches can quickly reveal whether your website has been targeted. Because Viagra and Cialis are among the most commonly peddled scammy pharmaceuticals, they form an ideal starting point. Simply use these drugs as keywords, adding your domain name to complete the search. Keep in mind that you may need to examine several pages of results before you happen upon SEO spam sites.

The search term "" can also be useful, especially if followed by a group of suspicious keywords listed within brackets. Don't hesitate to use webmaster tools, such as the popular Fetch as Googlebot.

Manually Review Your WordPress Core Files

When pharma hacks involve WordPress, the contents of the root directory may be modified. Commonly infected files include:

  • index.php

  • nav.php

  • wp-page.php

The .htaccess file must also be thoroughly examined, as this is a common strategy for adding backdoors. Regularly reviewing these core files is another solid step toward improving WordPress security.

Review Recently Modified Files

As you examine core files, take a closer look at those that have recently been modified. Select "show hidden files" to reveal anything that has been obscured through the simple placement of an extra dot. Watch for terms such as .class or .cache, which are commonly used to camouflage hacked files.

Look for Unauthorized Users

Unauthorized users can wreak havoc by exploiting WordPress vulnerabilities to gain access to your site. Using the administrator account, take a quick glance through currently approved users to determine whether any user names or roles are questionable. The user screen will also reveal which users have written specific posts. Change roles for any users you believe have excessive privileges or completely delete user accounts if they appear suspicious.

Search for Malware Alerts on Search Console

Google's Search Console includes a Security Issues tab that provides helpful reports on malware, hacks, and other common issues. In addition to revealing these concerns, Google Search Console also provides details on how to fix any existing problems. Upon addressing highlighted concerns, you can request a review.

Investigate Spikes in Analytics or Server Resources

High CPU usage may be indicative of pharma hacks or other exploits. Related alerts are possible if your page receives too many requests — or if these are slow to resolve. Keep an eye out for abnormal traffic patterns, such as an influx of visitors from a specific country — or certain pages receiving significantly more traffic than usual.

How to Fix Pharma Hacks?

If you've determined that hackers have breached your WordPress website, it is important to take action as soon as possible. Not only does your compromised website stand a solid chance of harming your reputation, it could also place users at risk and even get you blacklisted and barred from Google. Thankfully, this damage can be reversed, particularly if you seek help from a trusted website security provider.

Clean File and Databases

Pharma hacks target many of the core files associated with WordPress. Back up these important files — such as wp-content and wp-admin — before doing any major cleaning. Once this crucial step is complete, you can use security services to automatically clean any impacted files.

Find and Remove Backdoors

Hackers who have already gained access to WordPress websites commonly leave backdoor measures in place to make returning easier. This is often accomplished by inserting malicious code into theme files, core files (such as wp-content), and current WordPress plugins. Remove these to combat the most common and dangerous WordPress vulnerabilities.

Remove Malware Warnings and Blacklistings

If a WordPress pharma hack has caused your site to be blacklisted by Google, it’s critical to act as quickly as possible to get this remedied. As we've mentioned, Google's Search Console allows you to request a review of your previously hacked WordPress site. If you've resolved the highlighted issues, you can get your site removed from the dreaded blacklist and once again included in Google search results.

Consider Hiring a WordPress Security Service

If all this seems like a lot of effort, remember: you don't need to handle it alone. With a WordPress security service in your corner, you can get immediate and valuable insight into a variety of security concerns, along with the swift implementation of effective strategies designed to prevent and mitigate these issues.

WordPress Security Best Practices

A layered approach is essential for preventing pharma attacks and, in general, boosting WordPress security. Best practices for protecting your site and its visitors include:

Maintain WordPress Themes and Plugins

Out-of-date WordPress themes and plugins are frequently exploited, so these must be updated regularly to ensure that all the latest security protocols are in place. Strategic selection is also crucial; only use plugins from highly reputable sources. Keep in mind that WordPress itself should also be updated to reflect the latest version.

Secure Passwords and Usernames

Don't underestimate the power of password protection. This can serve as a valuable line of defense when blocking brute-force attacks. All passwords should feature long strings of random letters, numbers, and special characters. Better yet, implement multi-factor authentication, which adds an extra hurdle for hackers: the need to submit a code sent via email or text message.

Prepare for the Worst-Case Scenario

Unfortunately, given the sophistication of today's top scams, there is a high potential for malicious behavior — even after you've implemented the best WordPress security strategies. There's never such a thing as too much peace of mind, so it's important to plan for the worst-case scenario. Typically, this means implementing a high-level backup solution, which, in the event of a hack, will minimize downtime and get your site back to pristine condition.

Protect Your WordPress Website with SiteLock

If you are concerned about WordPress security or suspect that you may have been targeted in a pharma hack and need immediate website hack repair, don't hesitate to take action. A vigilant approach can make a huge difference, as you will quickly discover upon implementing SiteLock's sophisticated security services. From malware scanning to firewalls, we offer everything needed to keep your site safe. Take a look at our plans and feel free to reach out if you have any questions.

Latest Articles
Follow SiteLock