Your Dedicated Partner for All Things WordPress

How to Fix WordPress Pharma Hack?

Table of Contents

It was one fine day and you are searching your website to be sure that your website is displaying correctly. When you search your website, you see unusual pharma heading on your website. This thing is known as pharma hack.

This is also known as the Google Viagra hack. There are many other medicines that you will see. So, depending on the medicine you see, you can name this hack.

We will see how you can fix the WordPress pharma hack.

What is WordPress Pharma Hack?

WordPress pharma hack is an attack where your website will fill with unusual pharma advertisements. Usually, the text and the images are not visible to the regular user.

However, if you search your website on Google, you will find unusual text and headings on the website.

The attack is done in such a way that only the bots who come from Google will see this text.

There are various medicines that you will see on your website. These includes

  • Viagra
  • Cialis
  • Nexium
  • Buy prescription drugs online
  • Buy Xanax online overnight

If you see advertisements for any of these things, your website will be compromised. Even if you search your website on Google, it will show that the website might be compromised.

So, your next job will be to fix the WordPress pharma hack to make sure that website will rank with ease. If you don’t fix it soon, you will start seeing a decrease in ranking. Google might even penalize your website if you don’t fix the WordPress pharma hack.

Therefore, you should surely fix this, or ask your website support to fix it for you.

Let’s learn a little more about this hack before we get into the solution.

Why does Pharma hack happen?

Here, your actual website isn’t compromised as the users can see still see your usual website. So, what’s the point of this hack? This is the main question that comes to your mind when you see some similar type of hack.

All these medicines are illegal to advertise. Either the state law doesn’t allow you to advertise these products or it is a limitation by social media ads or Google ads.

Therefore, the attacker uses this attack to advertise the products to all the people. The hack won’t compromise your data in most cases. However, we can’t be sure about it.

Normally, this hack is for the advertisements and to steal money from you by advertising their product on your website.

Therefore, if you see this hack, there isn’t much to worry about the data but you still have to fix this.

Fix WordPress Pharma Hack

Now, let’s talk about fixing the pharma hack. To fix this, we will first scan the website to see where is the code vulnerability. When the website is hacked, the attacker might have added some malicious code to your website as well.

Therefore, you need to scan the code and find all the vulnerabilities that are on your website. Thereafter, you can surely remove them and your website will be back to normal.

Let’s begin with the first most important thing.

Backup your Website

Of course, how we can forget to backup our website before we perform anything? The first thing that you will have to do is take a backup of the website.

Make sure you also take the backup of the database.

Many people think that what is the use of taking a backup if your website is hacked, well you should take the backup because if you do anything wrong, you can always restore from the backup and restart the procedure.

Scan the Website

Pharma Hack

Your next step is to perform a scan on your website. You can do this from your cPanel virus scanner or if you are using any plugin, you can do it from there too.

There are various virus scanners for WordPress you can use. Starting from WordFence to Sucuri, there are many other alternatives you can use.

It doesn’t matter which scanner you are using as these viruses and malware are common ones and can be easily detected by any scanner.

You can run the scan. If you are using cPanel, head over to the virus scanner, and start the scan. In the same way, if you are using a WordPress scanner (plugin), you can surely head over to the plugin dashboard to start the scan.

It might take several minutes depending on the size of your website. We highly recommended you wait until it completes the procedure.

In most cases, you can surely leave the tab and close the website as it is scanning the website from the server-side. If you are using the cPanel virus scanner, you can surely leave the tab.

Meanwhile, you can complete your other work. Not to mention, you can also start the scan now and then continue the rest of the article. It will surely save you time.

Removing the Virus

Once it is scanned, it will give you the complete list of infected files. You can simply remove those files from the scanner itself. There will be an option to fix the files. After clicking on it, it will fix all the files with the virus.

If you want to be super safe, you can surely replace the file. In this way, it won’t affect the website in the future too.

Please note that even if the virus is removed, it’s highly recommended to complete the reading of this article as there is still one thing that you will have to do.

Replace the Files

As mentioned above, you can surely replace the files.

Make a list of all the files that are infected by the malware or virus. Now, you can simply head over to that file.

Find the main source from which it was downloaded. For example, if it’s a plugin file, find the source of the plugin. Whether you installed the plugin from the official plugin directory or it was from other sources. You need to download the original file from the main source.

Once you download the source, find the same file that is infected. Delete the infected file from your server and upload the original file from the zip which you download.

The same goes for all the things whether it’s core files or theme files. You will easily find the original source.

Once you find the original source, you can download it and then reply with the same procedure.

You can also fix the file manually if the original source is not available for some reason.

Fix it Manually

To fix it manually, you will have to open the file and try to read it. There will be some encrypted code that you will find. Usually, the code is easily detectable. Once you find the code, you will have to remove it.

Don’t search for any pharma terms as we mentioned above. The Google Viagra hack won’t show the same keywords. It is usually done by the encrypted code only.

The encrypted code will have a huge bunch of letters and numbers which will make no sense. Remove the entire line and it will be gone.

If nothing works, you can surely rename the plugin directory and see if the website is back to normal or not. Further, you can do the same thing with the themes directory as well.

You can also scan your database and remove the entries from there.

Head over to PhpMyAdmin, open your WordPress database, and then open the wp-options table.

Search for the following term in it.






 rss_% (Delete all matches to rss_ expect, rss_excerpt_length, and rss_language)

Run the query and wait for a couple of seconds to see if the hack is gone or not.

You can also try to replace the core files as well. Download the core files from the official WordPress website. Extract the zip and remove the wp-content folder and wp-config file from it. Thereafter, you can upload the zip and replace all the files.

This works like a charm in most cases. So, doing this manual clean up will be a lot more useful for you even if the automated scanning has fixed the issue. This will ensure extra security.

Removing the Content

The content will also disappear by now. However, in some cases, the content will be still there.

If the content is still there, you can easily remove it by going to each page. If the content is still not removed, there will be two possible options.

One of them is because of the page’s content and the second is because the virus isn’t yet removed.

If it’s not yet removed, you can try scanning the website again.

However, if it’s because of the content, you will remove them manually. You can open your WordPress editor and remove them one by one.

Inform Google about the Changes

Remember what we said first? This hack is normally visible on Google and less to the people. Therefore, you will have to inform Google about the changes you just made.

Open the search console. If you don’t have an account there, you need to create one. It will allow you to do many things. Long things short, you can tell you how Google sees your website.

Once you open the console, you will have to inspect your URL from there. You can do this by entering your website URL on the given space at the top.

Thereafter, Google will tell you how the search engine will see your website. If you see it as a normal page, you can ask Google to reindex it. There will be an option right next to it. It will reindex the website.

In the same way, you can do this for all the infected URLs. Not to mention, you can also resubmit your website’s sitemap and reindex them all.

Even if you don’t this, Google will surely fetch your website. However, it will take time. So, it’s better to inform Google and make sure your website is running safely.

Further, there are some things that you will have to keep in mind when it comes to the search console. Sometimes, you will see an error that says “This website might have been compromised”. In such cases, you can open the error message on your search console and click on the reindex button.

In this way, the error message will also be gone.

Recheck the Website

Now, your last job is to make sure that there are no other URLs with the same terms.

You can do the following search term. Viagra

Pharma Hack

You can surely use all the terms that we mentioned above on by one. If you see no results, it means your website is safe.

In most cases, it will take some time to remove the results from Google. So, you will have to wait and there is no other option you can do.

You can then tell your visitors about the error and clear things out. This will make sure that the trust of visitors stays intact and you don’t lose your customers as well. Therefore, it’s better to tell the visitors about the pharma hack on your WordPress website.

Final Words

To conclude, this is how you can fix the WordPress pharma hack. Don’t forget to submit your website to the Google search console after you finish this. This is the most important part that you will have to do. This is the most important step that you will have to take. Most people ignore this which is the main reason it takes time to regain the original website in search results.

Further, you will also have to use a security plugin on your website. This will ensure that your website is fully secure and there is no problem. This will also secure your website from further attacks whether it’s a pharma hack or any other. Most importantly, there are many free plugins that you can use which pretty much does the work. So, if you have a small website, you don’t even have to pay anything. You can surely upgrade later.

How to Clean a Hacked WordPress Website using WPServices?

WPServices provides a risk-free WordPress malware removal service. 30 day money back guarantee, the most complete WordPress security plugin called iThemes Security Pro (worth $199 / year) + advanced security setup, and repeated hack protection for up to 1 year is included in the WordPress cleanup service. All of this has an industry best pricing – starting from / fixed website.

We value your time and thank you for reading our blog. So, we would like to show our appreciation by giving you an additional 10% discount on our malware removal service. Use coupon code WPAOSBLOG10 at the checkout.

How to get started?

Learn more

WordPress Maintenance

Save 33% with our Annual pricing plan.

Get Started

Coupon Code Applied!

Take your time and continue browsing our services.

Alexey Seryapin
Founder of WPServices