I’m writing this blog because one of our client called us and told that their website is hacked and ranking of website affected in result of that hack.
So if you don’t know what is pharma hack and you are also facing same problem with your site then don’t worry i’m going to explain all in details in this article like,what is pharma hack and how it is actually works and how to get rid off such hack .
what is pharma hack?
The purpose of pharma attack is to promote pharmaceutical sales sites through WordPress websites.
they attack such pages of your website which has most of traffic.when end user visit your website and click on some link they automatically get redirected to one their pharmaceutical sales sites which sales viagra and cialis .you can’t identify such hack from front-end even through source code of your page.
How to remove Pharma Hack from website?
here i’m going to tell you my experience, how i removed pharma hack from my website. I spend 2 days to find out what actually happened to my website and what is the solution to it, after lot of digging on google and reading few articles i found this solution and i’m able to remove pharma hack from website successfully.
Just go through the steps that are given below i hope you will also can get rid off from hack.
Generally,attackers do large scale scans and try to inject the backdoors into compromised sites
Step 1 : Backdoor inside one of your theme file
this is the first step in the infection, they find compromised wordpress websites and insert backdoor in it .once backdoor is added it start affecting you site.like,some URL are gets modified and redirected to their site.
The common places for these backdoors are in one of file or folder which are given below :
- current activated theme folder.
- functions.php file of activated theme.
- or some newly created .php files.
such files can be identified if they contain code similar to given below
$XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb
='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j
oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY.
In my case i found it in
activated themes fuctions.php
wp-content\themes\theme_name\inc/init.php
wp-content\themes\theme_name/index.php
wp-includes\images\wlw/index.php file
and last when you find such files or code in any file delete it.
Step 2 : Backdoor inside one of your Plugin Folder.
This is the Second step in the pharma attack which attacker use to insert backdoor in your website.
here they insert backdoor in one of your activated plugin so check all the activated plugins folders and look for any new suspicious files.
Examples:
akismet/wp-akismet.php akismet/db-akismet.php
mostly they insert it in Akismet plugin so look in to closely in akismiet folder for any new suspicious files and when you find it delete it immediately. even i found such file in akismet folder but in your case may be it will not be same so check all existing plugin folder.
Step 3 : Backdoor inside one of your Database
This is third and last step hacker use to attack on compromised websites sometimes here is the root of cause is hidden. tiil now and as per my experience they have been using wp_options table to insert backdoors.
Below are some quires which should clean your database so try this :
delete from wp_options where option_name = 'class_generic_support'; delete from wp_options where option_name = 'widget_generic_support'; delete from wp_options where option_name = 'fwp'; delete from wp_options where option_name = 'wp_check_hash'; delete from wp_options where option_name = 'ftp_credentials'; delete from wp_options where option_name = 'rss_7988287cd8f4f531c6b94fbdbc4e1caf'; delete from wp_options where option_name = 'rss_d77ee8bfba87fa91cd91469a5ba5abea'; delete from wp_options where option_name = 'rss_552afe0001e673901a9f2caebdd3141d';
NOTE:
remember you have to follow all above to completely remove pharm hack from your website if you only delete files from themes folder or plugins folder there may be chances you see same files again after few days so it is important to follow all the steps.
