Comments on: How to Diagnose and Remove the WordPress Pharma Hack

By: sunny

sunny — Mon, 15 Feb 2016 09:54:02 +0000

Great tutorial. pharma hack files can identify PHP functions.

By: Damian

Damian — Sat, 03 Oct 2015 18:42:35 +0000

Is this still doing the rounds ?

By: Ivan Sindell

Ivan Sindell — Sun, 27 Sep 2015 18:06:36 +0000

pharma hack. Wordfence free version spotted five files with bad code- and showed the code, and securi noted the same files were changed.

the files are in the wp-includes directory
However, nothing about the database.

The files cannot be removed without bringing down the site.

By: Shaun

Shaun — Sat, 22 Aug 2015 17:05:06 +0000

So, with the hack affecting Google results, how do you know if you’ve actually fixed it? Surely only time will tell once Google crawls your site again?

By: Sarah

Sarah — Tue, 04 Aug 2015 21:45:06 +0000

You are a lifesaver. I have literally JUST found out that my work’s blog (which is in the public sector, yikes) was infected with the Pharma hack.

I’ll be following the steps in your post to hopefully fix the problem, crossing my fingers!

By: Christiane LagacÃ©

Christiane LagacÃ© — Fri, 26 Jun 2015 16:26:27 +0000

Thanks for this. Though I didn't face exactly the same problem, your article helped me to find the malicious file in my website. Here is how I solved my problem. Thanks again!

By: Got me too

Got me too — Sun, 31 May 2015 06:51:57 +0000

I had a client hit by this too. Thought I found everything and site scanned clean, a little later it was back by a backdoor that was missed.

A few things I noticed on google searches, disabling the .htaccess file stopped the redirect.

After I deleted the site, new results on google searches would call up with sitename.com/somenumber-html for the pharmacy, of course since it is currently deleted they do not redirect.

Is there any way to stop these google search results with the site domain name ?

By: mopsyd

mopsyd — Thu, 28 May 2015 00:01:53 +0000

I’ve found a very easy way to track down web infections if you use git. You will need a pre-existing commit of the clean site in order to do this though. If you get hacked and do have a git repo for that site, just commit again and check the diff between the two, which will reveal all lines changed in all files, as well as any new files added since your previous one. Be careful not to remove anything that was legitimately updated (like plugin or theme files).

This will not isolate the database issues, however, unless you have a ton of plugins and settings, you can export the wordpress.xml export from the tools menu, rebuild your database completely and reimport it and it will clear any bad records completely in the process. You may lose a few settings from poorly built plugins that do not store database records in the process, so two ways around this are:

A) Create a duplicate database, rebuild the first one, and toggle between the two by editing the wp-config.php file (this way you have an immediate backup to go back to if you bork it without downtime, and without having to work against the live database)

B) Move your entire site to a staging server (localhost or a subdomain), clean it, and then push the clean version back to your live installation.

That’s how I generally go about removing these. There are a lot of variants, and missing something generally leads to reinfection, so I typically just rebuild from clean downloads whenever possible.

By: Michael Decker

Michael Decker — Wed, 25 Mar 2015 03:11:56 +0000

Hey found oldie but a goodie :). I ended up going in phpMyAdmin and deleted the database entries that contained malicious code.

Thanks a bunch will definitely will start following!

By: Mike

Mike — Mon, 19 Jan 2015 19:10:52 +0000

My findings:

I did have a number of entries returned with the rss_% search, but none seemed to be the offending ones. I deleted them anyway.

I did not have any malicious files in Akismet.

The first line of my active theme’s functions.php did contain the bad stuff and it was backwards (you’ll see edoced at the end of a giant string of garbage characters all on a single line). Deleted and all good. Be careful to not delete your opening php declaration as it’ll appear connected to this.