Logo
WP Fix by Blimx

Pharma Hack Forensics — Anatomy and Cleanup

Actualizado:
SecurityMalware

What the pharma hack is

The pharma hack is the longest-running WordPress malware family — first documented in 2010, still active in 2026. Its goal is SEO spam: insert links to Viagra, Cialis, and other pharmacy pages into your site to manipulate Google rankings for those terms.

What makes it dangerous is not the payload — it's the cloaking. The hack hides itself from logged-in admins and ordinary visitors. Only Google's bot sees the spam. By the time you notice your site is "selling Viagra" in Google search results, the infection has been compounding for months.

This article is our complete forensic playbook: how to detect, how to clean, and how to prevent recurrence.

How it cloaks

The pharma hack uses three cloaking techniques in combination:

1. User-Agent based cloaking

The hack checks the HTTP User-Agent header. If it matches Googlebot, Bingbot, or another search engine crawler, the page renders with pharma spam injected. If it matches a regular browser, no spam is shown.

2. Referrer based cloaking

Some variants only inject when the referrer is google.com or other search engines, ensuring real Google traffic sees spam while direct visitors don't.

3. Cookie based cloaking

If a "logged in as admin" cookie is present, the malware exits early without injecting. This is why you never see anything wrong when browsing your own site.

Detection: see what Google sees

The only reliable way to detect a pharma hack is to fetch your site as if you were Googlebot:

curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \
     -H "Referer: https://www.google.com/" \
     https://yoursite.com/ | grep -iE "viagra|cialis|pharmacy|levitra|tadalafil"

If the output contains pharma keywords, you're infected.

Alternative: Google Search Console → URL Inspection → Test Live URL. Look at the rendered HTML. If you see pharma links there but not in your browser, that's the hack confirmed.

Where the payload lives

We have categorized infected sites into four payload patterns:

Pattern A — Database-resident

The malicious content is stored in the wp_options table, often in custom option names like wp_inject_data, wp_seo_cache, or randomly-named entries. The PHP code that reads and serves this is in a single file added to wp-content/plugins/ or wp-content/mu-plugins/.

Pattern B — Theme functions.php injection

A heavily obfuscated PHP block (often base64-encoded multiple times) added to the active theme's functions.php. The block decodes at runtime, fetches the pharma content from a remote C2 server, injects.

Pattern C — Core file modification

A WordPress core file (often wp-blog-header.php or index.php) gets a small @include('/path/to/malware') injection at the top. The actual malware lives outside wp-content/.

Pattern D — wp-config.php backdoor

A small eval() or require_once() at the top of wp-config.php loading remote code or a hidden local file. Hardest variant because wp-config.php is normally trusted.

Forensic cleanup procedure

Don't just delete files you find. The hack always has backdoors that re-infect. The clean process is:

Phase 1 — Identification

cd /var/www/yoursite

# Find recently modified PHP files
find . -name "*.php" -mtime -30 -type f | grep -v "wp-content/cache"

# Find files with suspicious patterns
grep -rE "eval\(.*base64_decode|preg_replace.*\/e|system\(.*\\$_" --include="*.php" .

# Find non-standard files in core directories
ls -la wp-admin/ wp-includes/ | grep -v "^d"

Save a snapshot of every flagged file:

mkdir -p /tmp/forensics-$(date +%Y%m%d)
cp suspicious_file.php /tmp/forensics-$(date +%Y%m%d)/

Phase 2 — Database cleanup

-- Look for suspicious options
SELECT option_name, LEFT(option_value, 100) FROM wp_options
WHERE option_value LIKE '%eval%'
   OR option_value LIKE '%base64%'
   OR LENGTH(option_value) > 100000;

-- Look for hidden admin users
SELECT u.ID, u.user_login, u.user_email, u.user_registered
FROM wp_users u
JOIN wp_usermeta um ON u.ID = um.user_id
WHERE um.meta_key = 'wp_capabilities' AND um.meta_value LIKE '%administrator%';

-- Look for spam content in posts
SELECT ID, post_title FROM wp_posts
WHERE post_content REGEXP 'viagra|cialis|tadalafil';

Delete malicious options, drop unauthorized admin users, clean spam posts.

Phase 3 — File restore

Restore the WordPress core from a clean download:

wp core download --skip-content --force

This re-writes all core files with vetted versions. Doesn't touch wp-content/.

For themes and plugins:

# Reinstall every active plugin
wp plugin list --field=name --status=active | xargs -I {} wp plugin install {} --force

# Reinstall theme
wp theme install <theme-slug> --force

If you use a custom theme, restore it from version control or a known-clean backup.

Phase 4 — Backdoor hunt

This is the critical phase. Backdoors are small, often unique-per-infection PHP files. Search exhaustively:

# Files in unusual locations
find wp-content/uploads/ -name "*.php" -type f
# Files with very recent modification but original-looking names
find . -name "*.php" -mtime -60 -type f -exec grep -l "eval\|base64_decode" {} \;

# Hidden files
find . -name ".*.php" -type f

For every PHP file found in uploads/, delete it. Uploads should never contain executable PHP.

Phase 5 — Credential rotation

The pharma hack often leaves a stolen credential cache. Rotate everything:

  • All WordPress user passwords
  • Database password (update both MySQL and wp-config.php)
  • WordPress salts in wp-config.php (use https://api.wordpress.org/secret-key/1.1/salt/)
  • API keys for any third-party services
  • FTP/SSH passwords
  • Hosting panel password

Phase 6 — Re-submit to Google

Once the site is clean:

  1. Google Search Console → Security Issues → Request Review
  2. Include a brief description of what was infected and what you cleaned
  3. Wait 24-72 hours for Google to recrawl

Until Google reviews, your site may remain flagged as "deceptive" in search results.

Prevention setup

After cleanup, deploy the hardening that prevents recurrence:

  • WAF (Cloudflare Pro) with WordPress managed ruleset → blocks ~80% of automated re-infection attempts
  • File integrity monitoring → alerts on any new PHP file in wp-content/
  • DISALLOW_FILE_EDIT = true in wp-config.php
  • 2FA on every administrator account
  • Daily off-site backups with monthly restore drills
  • Patchstack subscription → 24-hour alerts on plugin CVEs

Common mistakes during pharma hack cleanup

  • Just deleting visible spam links — misses the backdoor; site re-infects within hours
  • Trusting Wordfence "auto-clean" — its scanner catches the obvious file but rarely the database options or core injections
  • Not rotating credentials — the attacker often comes back through stolen admin login
  • Skipping the search engine resubmission — site stays blacklisted unnecessarily

When to call a specialist

A pharma hack that survived a basic cleanup is a sign of multiple compromise vectors. Without forensic-level work, you'll be cleaning the same hack monthly.

Emergency malware removal — we typically clean pharma hacks in 4-8 hours including the hardening step. For broader hack response see hacked website repair.