How to find and repair a WordPress Pharma hack

Did you know that a quarter of all spam are accredited for pharmaceutical ads? Pharmaceutical hacks go beyond spam email inboxes and websites by redirecting traffic and adding fake keywords and subdomains to search results.

Why and how has the medical world become entangled in spam emails, referral spam, redirects, and spam injection into websites?

The answer is – money.

The Ways and Means Committee (responsible for taxation and budget recommendations) indicated in their 2019 report that Americans pay anywhere 4x to 67x the price than other countries for the same drug. Webmd found that Toronto charged 55% less for an identical prescription on Lake Ontario in Rochester, New York.

The cost of health care has led many Americans to purchase prescription drugs across the borders of other countries, or online, despite being illegal. The desire to find affordable drugs has created opportunities for scheisters to take advantage of desperation through cheap offers for popular drugs.

What is a pharmaceutical hack?

A pharmaceutical hack is an SEO spam attack that exploits vulnerable WordPress sites and hijacks your website and injects malware such as favicon.ico. The hacker creates subdomains, redirects, and keys for their content to rank on search engines and in front of site visitors. Think about the type of men in black whose body has become a vessel for all alien bugs… this is your site right now.

What is the risk ?

Yours? You may be blocked once Google notices your website has been injected or your hosting provider. This will lead to downtime if you get a blocklist, missed traffic, and longer lasting effects like a hit on your site’s SERP, all of which will end up hitting the wallet.

To consumers? Buying these cheaper drugs is not a safe bet. There is no way to prove (without a lab test) that what you bought online is the real deal. Drugs and drugs purchased from these spam sites are not regulated or controlled by any agency. Additionally, the repercussions of purchasing any of these offers can also result in jail time and hefty fines depending on the state you live in.

Why you and your site?

It is not personal. If your site is vulnerable due to weak passwords or vulnerable components, hackers will find their way there. They will take advantage of the weakness and then use your website ranking to increase the visibility of their products. It uses your legitimate website to promote its content (which otherwise wouldn’t rank). Once this is reported and Google realizes it, your site can be blocked, which has serious financial implications for your business.

How to verify that you have been affected by a pharmaceutical hack

Step 1: Google your site with common pharmaceutical spam keywords like xanax or viagra or cialis. See if the keywords appear or if there are subdomains dedicated to pharmaceutical drugs.

When I searched for a specific college with the word viagra, I found this result:

You can see that this website is an educational institution from its .edu website address and that it has no business offering xanax online.

To note: If you accidentally click on the link that should bring you to the site, you may be redirected.

If you are the victim of a pharmaceutical hack, you are likely to be redirected to a pharmaceutical website. In this case, I was redirected to a site called family-drugs.com.

Other metrics you can look for are spikes and drops in traffic, Google warnings on your page such as “deceptive site coming up” or “this site may be hacked”. or even just by checking the keywords or pages that Google finds on your website through the Google Search Console.

2nd step: Do a Site analysis to deepen the diagnosis – it finds “known spam detected”

Clicking on “More details” confirms the redirection we received:

Scroll down to see the full report.

At this point, you can enlist the help of Sucuri’s security analysts to clean up your site, or try digging deeper using the free software. Sucuri WordPress security plugin.

Step 3: Run the free WordPress Sucuri Security plugin. This plugin that will scan your WordPress core files for anomalies, changes or modifications so that you know exactly where to look to remove backdoors.

Image source: https://wordpress.org/plugins/sucuri-scanner/

To note: Before making any changes to your files, make sure you have a clean backup to restore from.

Remove backdoors

Review the list of modified base files that the Sucuri plug-in returns with. Follow up with associated users for each change to confirm that they were legitimate changes. Restore modified core files with original copies from WordPress repository.

Look for a backup before infection to compare the differences in the main files. Remove anything that has changed and keep an eye out for these specific php functions:

base64

str_rot13

gzuncompress

assess

the executive

system

to assert

slash

preg_replace (with / e /)

move_uploaded_file

These functions can also be legitimate, so test each deletion at a time and be sure to back up between each change.

More complete details on the best way to remove an infection can be found in our How to clean up a hacked WordPress site To guide.

In conclusion

The best way to prevent Pharma Hacks from happening again is to take the following steps:

  • Update your site – update every plugin and component on your site. Many updates contain bug fixes that could have unlocked your site’s door to SEO spam in the first place.
  • Put a firewall in place. It will monitor traffic and protect your web server and web applications from attacks.
  • Run everyday scan to monitor the health of your site. Hackers often leave more than one backdoor, and if you haven’t completely cleaned up the site, the daily scan keeps you on high alert for reinfection attempts.
  • Perform an administrator audit and remove unnecessary or unknown users. Reset all passwords and apply strong password techniques.

Esther L. Gunn