I’m writing this blog because one of our client called us and told that their website is hacked and ranking  of website affected in result of that hack.

So if you don’t know  what is pharma hack and you are also facing same problem with your site then don’t worry i’m going to explain all in details in this article like,what is pharma hack  and how it is actually works and how to get rid off such hack .

what is pharma hack?

The purpose of pharma attack is to promote pharmaceutical sales sites through WordPress websites.
they attack such pages of your website which has most of traffic.when end user visit your website and click on some link they automatically get redirected to one their pharmaceutical sales sites which sales viagra and cialis .you can’t identify such hack from front-end even through source code of your page.

How to remove Pharma Hack from website?

here i’m going to tell you my experience, how i removed pharma hack from my website. I spend 2 days to find out what actually happened to my website  and what is the solution to it, after lot of digging on google and reading few articles i found this solution and i’m able to remove pharma hack from website successfully.

Just go through the steps that are given below i hope  you will also can get rid off from hack.

Generally,attackers do large scale scans and try to inject the backdoors into compromised sites

Step 1  : Backdoor inside one of your theme file

this is the first step in the infection, they find compromised wordpress websites and insert backdoor in it .once backdoor is added it start affecting you site.like,some URL are gets modified and redirected to their site.

The  common places for these backdoors  are in one of file or folder which are given below :

  1. current activated theme folder.
  2. functions.php file of activated theme.
  3. or some newly created .php files.
such files can be identified if they contain code similar to given below
 $XZKsyG='as';$RqoaUO='e';$ygDOEJ=$XZKsyG.'s'.$RqoaUO.'r'.'t';$joEDdb
 ='b'.$XZKsyG.$RqoaUO.(64).'_'.'d'.$RqoaUO.'c'.'o'.'d'.$RqoaUO;@$ygDOEJ(@$j
 oEDdb('ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY.

In my case i found it in

activated themes fuctions.php
wp-content\themes\theme_name\inc/init.php
wp-content\themes\theme_name/index.php
wp-includes\images\wlw/index.php  file

and last when you find such files or code in any file delete it.

 

Step 2  : Backdoor inside one of your Plugin Folder.

This is the Second step in the pharma attack which attacker use to insert backdoor in your website.
here they insert backdoor in one of your activated plugin so check all the activated plugins folders and look for any new suspicious files.
Examples:

 akismet/wp-akismet.php
 akismet/db-akismet.php

mostly they insert it in Akismet plugin so look in to closely in akismiet folder for any new suspicious files and when you find it delete it immediately. even i found such file in akismet folder but in your case may  be it will not be same so check all existing plugin folder.

 

Step 3  : Backdoor inside one of your Database

This is third and last step hacker use to attack on compromised websites sometimes here is the root of cause is hidden. tiil now  and as per my experience  they have been using wp_options table to insert backdoors.

Below are some quires which should clean your database so try this :

 delete from wp_options where option_name = 'class_generic_support';
 delete from wp_options where option_name = 'widget_generic_support';
 delete from wp_options where option_name = 'fwp';
 delete from wp_options where option_name = 'wp_check_hash';
 delete from wp_options where option_name = 'ftp_credentials';
 delete from wp_options where option_name = 'rss_7988287cd8f4f531c6b94fbdbc4e1caf';
 delete from wp_options where option_name = 'rss_d77ee8bfba87fa91cd91469a5ba5abea';
 delete from wp_options where option_name = 'rss_552afe0001e673901a9f2caebdd3141d';

NOTE:

remember you have to follow all above to completely remove pharm hack from your website if you only delete files from themes folder or plugins folder there may be chances you see same files again after few days so it is important to follow all the steps.

Join to newsletter.

Curabitur ac leo nunc vestibulum.

Thank you for your message. It has been sent.
There was an error trying to send your message. Please try again later.

Continue Reading

Get a personal consultation.

Call us today at (555) 802-1234

Request a Quote

Aliquam dictum amet blandit efficitur.

Leave A Comment