Hacks catch WordPress site owners by surprise since they are carried out discreetly to exploit websites’ resources. The Pharma hack makes use of your website’s search rankings. Do you know how to get rid of it?

Over the past couple of weeks, we’ve been covering some of the ill-effects of being hacked, and how to recognise a hack. In that progression, one of the most discreet ways hackers use your site, is via Black Hat SEO techniques.  Black HAT SEO hacks make use of the legitimate links and content on your site, so cleaning them up requires expertise, and time.

What is Black Hat SEO?

In short, Black Hat SEO (also known as ‘spamdexing’) is an exploit of a vulnerability on your website where attackers target your highest-ranking pages. Hackers perform this bad SEO practice so their websites gain easy traction from your website’s search engine ranking.

Attackers first identify the high-ranking pages on your website. They then insert their links into those pages, and hence hijack these rankings to affect their websites. The malicious content isn’t seen on the front-end of the affected websites, but is visible to search engines.

However, in the long run, this poisons your site’s ranking.

Not only does your website rank lower… since these methods go against search engine guidelines, there is a high possibility of your website getting blacklisted too. This doesn’t matter to the hackers because they’re looking for a quick way to boost their website ranking instead of putting in the hard work for it. Once your website has been blacklisted, they’ll perform the same SEO hack on another website to maintain their ranking.

One of the most well-known ways Black Hat SEO affects WordPress sites, is via an exploit called the Pharma Hack.

What is the WordPress Pharma Hack?

The WordPress Pharma hack is an exploit of a website’s vulnerabilities to display pharmaceutical products along with the actual site’s pages or products on the search page. Since this is an exploit that uses Black Hat SEO, these pharmaceutical products don’t display on or affect the actual pages of the website. Instead, the website ranks lower on search engines’ results.

Why does it take so long to detect?

When we say that the spam links and content isn’t visible to users, we mean that it only shows up when someone looks for the site on Google. The description beneath the link to the website will show something related to the pharmaceutical products from the hacker’s site.

Even if you (the admin) of the site look through the HTML source code, you won’t find the spam links or content.

This is because the malicious content is disguised and placed in your WordPress blog’s plugin folders, and in your database.

Since the exploit only affects the highest ranking pages and not all the pages on the site, it becomes more difficult to find.

How does it work?

Most of the time, hack files (malicious code) is encoded, or named to look like legitimate WordPress files. For example, if the Akismet plugin has hack files, they could be named “akismet.cache.php” instead of “akismet.gif”, “akismet.php” or “readme.txt” (which are the only three files that an uninfected Akismet folder has). Similarly, any file outside of the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.

With the WordPress Pharma hack though, the hack files are encoded (sometimes backwards), and are injected into the plugins folder.

The malicious code pings Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.

How to clean up the WordPress Pharma Hack

1. Go through your plugins folder using your FTP client.
2. Make sure your viewing options are set to show hidden files.
3. Check directories of every active plugin on your website.
4. Look for files that have encoded names.
5. Once you find the hack files, it is important that you delete them. This will get rid of the symptoms of the hack. However, you will have to remove the malicious files in your database too in order to get rid of the hack from the root.
6. Before you tamper with any database file, it is recommended that you backup your WordPress site so that any change you make to your site isn’t permanent. This way, even if you make a fatal mistake, you can rollback changes and go back to a working version of your site.
7. Deleting the rogue functions in your WordPress database will need some technical expertise: you will have to access phpMyAdmin, and delete the database entries that contain malicious code. If this step is not done, the consequences of the hack will still prevail.
   The easier option to manually looking for and deleting presumed hack files, would obviously be to use an intelligent hack scanner and cleaner that doesn’t raise false alarms, and yet doesn’t miss malicious code.

Black Hat SEO hacks, and other SEO spam is difficult to remove from your site. What’s worse is that if you get blacklisted by search engines like Google for it, requesting for a review, and getting reviewed for this kind of exploit takes the longest time to process, out of all the types of hack review requests. This is why time is of the essence in attacks like the WordPress Pharma Hack.
Efficient hack scanning and cleaning systems that require technical assistance, take up to 12 hours to clean up malicious code, but the question is whether you can afford that time. This is why it’s important to use an efficient, automated malware scanner and hack cleaner.