Architecture is endlessly appealing to me. Houses, in particular, capture my imagination because they are so primal in their utility: They provide us with a safe place to sleep, eat, store food, and raise young’uns.

For the last 90 years in America, home architecture has been dominated by profiteering companies looking to churn out cheaper products for higher margins. Market demand and time constraints are generally at odds with innovation and creativity, and this is precisely why qualified architects are only responsible for a small fraction of American homes.

On one hand, this sucks because it means that most houses in America were conceived and built by people who truly don’t know a damn thing about the art of designing a home.

On the other hand, this extreme suckage has made it easier to spot the really good stuff—the houses designed by architects who had a purpose and thoughtful motive behind every last structural detail.

A cursory review of the architects and designers who shaped an emerging, twentieth century America will no doubt reveal classic names like Wright, Neutra, Eichler, Eames, Nelson, van der Rohe, and Saarinen. These artisans—real experts, you know?—are all associated with the most inspired period of design in American history: The mid-century modern era.

When I decided to buy a house in 2009, I went on an all-out mission to find the perfect mid-century modern (MCM) home in Austin. After an exhausting three-month search, I managed to score a classic MCM that does everything right:

• At first glance, the home appears to be oddly situated on the lot, but closer inspection reveals that it’s built on the same axis as the four cardinal directions!
• Extra-tall windows bring in natural light and also serve to unite the house with the surrounding land.
• The flat roof, extended easements, huge windows, and indoor/outdoor feel are all characteristic of my favorite branch of MCM architecture that can be traced back to Richard Neutra.
• Just look at the place—it’s sexy as hell

Finally, I’d like to shout out a huge thank-you to Nick Reese, whose badass camera setup and editing skillz made this video possible!

As an important player in the Web software space, WordPress wields a powerful influence in the marketplace. When you’re in a position of such importance, it is your responsibility to purvey accurate information and to refrain from projecting ideologies and agendas on a market that is likely to take anything you say at face value.

My work with Thesis has placed me in a similar position, and I understand how much you can affect the psyche of your customers/users with just a few choice words. It’s powerful; it’s amazing; but most of all, it’s humbling.

As far as I’m concerned, being a figurehead in the market doesn’t mean that you get to be rich, famous, adored, and influential; instead, it means that you always have to hold yourself to a higher standard than everyone else. In other words, you have to do a better, more responsible job because thousands—perhaps millions—of people are dependent upon the solutions that you claim to provide.

Wielding such an awesome responsibility means that there is no room for ideologies, agendas, or anything else.

Solutions are what matters. You can check the rest of that crap at the door.

A few weeks ago, I started receiving tweets and emails from people who claimed that search results for my site were looking more like a pharmacy than a helpful Web resource. Of course, upon hearing such blasphemy, I immediately opened a new browser tab, looked around to make sure no one was watching, and then started Googling myself…and if you think that is some NC-17 material, wait til you see what my search results looked like:

Figure 1. The three red arrows highlight <title> tags that were cloaked by the WordPress pharma hack. Helpful Web guy or reckless pill-slinger? You decide

What you don’t see in the picture above is a hacked <title> tag for my home page, but that’s only because I fixed it before realizing I was going to write an article about these shenanigans. Suffice it to say that, before I caught the hack, my site looked more like the best damn antidepressant resource than the best damn blog on the planet. Enough of that, though—let’s dig a little deeper into the WordPress pharma hack and see what it’s all about.

What Does the WordPress Pharma Hack Do?

There are three facets of the pharma hack that I find particularly interesting. First, the results of the hack are only visible to search engines, and if your site is hacked, the public-facing portion of it will remain visibly unaffected. In other words, you won’t be able to spot the hack just by viewing the HTML source. The goal of any hack like this is to gain valuable links from high-ranking pages, and these hackers have wisely chosen to disturb the water as little as possible while going about their dirty business.

Second, like other hacks, the pharma hack must place malicious files in your WordPress folders in order to work its evil. However, unlike other hacks that I’ve encountered, the pharma hack disguises a majority of its code and saves it in the WordPress database, thereby making it more difficult to find and eliminate.

The third remarkable aspect of the pharma hack was that it didn’t affect every page of my site. Further, it only targeted the pages of my site that receive the most search traffic. For example, in Figure 1 above, the three hacked titles correspond with the following posts:

• 2 Sure-fire Ways to Make Money Online
• Deal or No Deal: A Statistical Deal
• How Much Should a Web Design Cost?

Interestingly, these three pages contain the most potent and high-ranking keywords on my site. Also, back when I ran AdSense, two of those three pages were the highest earners on the entire site (as far as PPC is concerned, anyway¹).

With these key points in mind, let’s answer the original question here: What does this hack do?

The WordPress pharma hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spammy links into the page content. Interestingly, the modified title tag and spammy links are only visible to search engines.

How Does the WordPress Pharma Hack Work?

We know what the pharma hack does, but in order to eliminate it and to prevent attacks like this in the future, we need to know how it does what it does.

Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database. The files in the plugins folder contain code that runs the encrypted code stored in the database. Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.

Typically, hack files contain easily-identifiable PHP functions like eval() and base64_decode(), and although the pharma hack is no exception, there’s one major difference. With the pharma hack, these functions are stored in the WordPress database as strings, and they’re encoded backwards! At runtime, a hack file in the plugins folder pulls these strings from the database, flips ‘em, and then runs ‘em as functions, and that’s how the deed gets done.

Oh, and remember how I said this hack only targeted my most potent and high-ranking pages? Cleverly, the hack pings Google Blog Search with queries like this one to see how many links a particular page has, and then it stores the results in the database. At runtime, the hack uses the number of links to determine which pages to target…

Sneaky bastards

How to Remove the WordPress Pharma Hack

Even if you don’t see any symptoms of the pharma hack (like cloaked title tags in search results), your site may still be hacked and therefore completely vulnerable. To know for sure, you’ll have to dig through the two places where the hack is known to romp—your WordPress plugins folder and your WordPress database.

Oh, and before we go any further, let’s get one thing straight—you are running the latest version of WordPress, aren’t you? Good, I knew you were the sensible type

Step 1: Remove Hack Files from Your Plugins Directory

Let’s start by examining the WordPress plugins folder for hack files. Using an FTP client, navigate to the /wp-content/plugins directory, and then locate your Akismet folder. I’ve recommended this particular folder as a starting point because I found malicious files stored here on three different sites; however, based on what I’ve learned about the pharma hack, these malicious files could be in the directory of any active plugin. Therefore, in order to do a thorough diagnosis, you should check any plugin that was active at the time your site was hacked.

Using your FTP client, make sure your viewing options are set to show hidden files, and then check to see if any of the following malicious files are located in your Akismet plugin folder:

1. .akismet.cache.php
2. .akismet.bak.php
3. .akismet.old.php
4. class-akismet.php
5. db-akismet.php

Ultimately, the important thing to note here is not the filenames themselves, but rather the patterns these names follow.

Items 1–3 are hidden files, and they all exhibit a characteristic naming structure with .cache, .bak, .old, or a similar pseudo-extension in the middle of the filename. Generally, you’ll find two out of three of these files together—one will look like this, and the other will look like this.

Items 4 and 5 share a naming convention, too—they are simply the plugin name (or a truncated version of the full plugin name) prefixed by either class- or db-. If you find a file that matches this convention, its contents should look like this.

Now, when you check other folders, you’ll know what naming patterns to look for when attempting to spot hack files, you sleuth you!

Here’s what one of my infected Akismet folders looked like; note that an uninfected Akismet folder only contains three files (akismet.gif, akismet.php, and readme.txt) and no hidden files:

Figure 2. Two hidden files inside the Akismet plugin folder that were planted by the WordPress pharma hack.

If you find infected files, delete them! Doing this will effectively end the pharma hack symptoms and restore your search results, but it’s important to note that your site will still be vulnerable at this point. In order to completely remove all traces of the hack and restore the integrity of your site, you’ll need to dig into your WordPress database to remove some lingering offensive code.

Step 2: Remove Malicious Code from Your WordPress Database

Because this step involves database interaction, it’s crucial that you pay close attention to the instructions outlined here. Also, it’s always a good idea to make a database backup before manually editing anything, so don’t say I didn’t warn ya!

To begin, you’ll need to access phpMyAdmin, which is a program on your server that allows you to view the databases associated with your hosting account. If you’ve never heard of phpMyAdmin and don’t know how to access it, don’t worry—simply contact your Web host, and they’ll be able to help you out here².

Figure 3. Select the wp_options table in your WordPress database.

Once you’re inside phpMyAdmin, select your active WordPress database from the left side of the page. If you’ve selected the correct database, you’ll notice a new set of links on the left—a collection of tables that look like those shown in Figure 3. From here, click on the wp_options table, and this will allow you to browse the table contents.

Your goal here is simple—you need to delete database entries that contain malicious code. Fortunately, finding the entries you need to delete is a simple job if you use the phpMyAdmin search function, which you can access by clicking the Search tab at the top of the page, as shown in Figure 4:

Figure 4. Click on the Search tab to search the wp_options table inside phpMyAdmin.

On the search screen, you’re going to need to search the option_name field (see Figure 5 below) for the following rogue database entries:

• wp_check_hash
• class_generic_support
• widget_generic_support
• ftp_credentials
• fwp
• rss_% — Attention! In this case, you should delete all matches except rss_language, rss_use_excerpt, and rss_excerpt_length (these are legit WordPress database entries).

Figure 5. Search the option_name field for malicious database entries from the list above. If you find any of these entries, delete them!

What Next? (And Some Helpful Prevention Tips!)

Now that you’ve successfully removed the WordPress pharma hack, you’re probably wondering what you can do to prevent stuff like this from happening in the future. On that note, I’ve got some good news, and I’ve got some bad news. First up, the bad news…

At this time, there is still one huge unanswered question about the WordPress pharma hack: How in the hell did the hackers manage to get into your server in the first place? I’ve received reports of the pharma hack on a variety of different Web hosts and server configurations, so it’s clear that the main vulnerability extends beyond a single host/server platform. So far, the only common denominator between the sites I’ve examined is that they’re all running WordPress, but even this fact doesn’t mean that WordPress itself is the problem.

Alright, with the bad news out of the way, it’s time for the good news: You can prevent hacks like this in the future. Rather than rehash the information here, I’m going to point you to a fantastic resource on WordPress security tips. From the perspective of someone whose site just got dropped from Google’s index because of the pharma hack (that’s me), you would be wise to follow these simple security suggestions

I like to solve problems. At this point in my life, I’m focused on solving the fundamental problems of Web design and development through my business, DIYthemes, and my software, Thesis.

One of the most compelling things I’ve learned in the past year, however, is that it’s not good enough to crank out “sufficient” solutions to problems. Truly sustainable answers require a style of thinking that involves patience, perspective, skill, testing, and unbiased criticism. Additionally, it’s crucial to realize that the best solutions we can generate should be reflective of our own human nature—in other words, we must strive to make them as adaptable as we are.

Through my work on Thesis, I’ve begun to see all sorts of new connections that reveal the direction the Web is heading, and I know that I can use these insights to figure out better solutions to the problems I’m already tackling.

Recently, I sat down with Nick Reese from Art of Blog to talk about some of these insights and to share my thoughts heading into 2010. You can check out the original interview on Nick’s site, or you can click here to watch the video in HD on Pearsonified

Thesis is my software project, and if you haven’t seen it yet, I’d love to show you what it can do! The latest version has been met with tons of enthusiasm, and people have been saying some really awesome things about it. Check out this video I made, and I think you’ll understand why

Head over to DIYthemes for more on Thesis!

Somehow, society has been perverted to the point that we think crap can be turned to gold, so long as it makes money. Worse, the venture capital and corporate acquisition culture has brainwashed us all into thinking that in the end, the payoff justifies the means.

That’s all bullshit, people. There are no substitutes for efficiency and sustainability, and nature proves this time and time again. For some reason, humanity continually repeats its mistakes of the past by going against the rules of nature, but in the end, these rules always prevail.

Better to know the truth and to act on it than to be misguided by the prevailing trends of the current age, don’t you think?

Left untouched, nature operates in a maximally efficient state. This means that in the long run, nature is always going to favor the most efficient path. In other words, efficiency wins.

Everything you do can (and should!) be viewed as an extension of nature. Whether you’re hacking your way around a golf course, running a business, or trying to figure out who to follow on Twitter, you’ll get the best results if you always strive to operate efficiently.

You see, nature has done us an incredible favor by literally showing us the blueprint for success. You want to win? Be efficient. You want to survive? Be efficient. You want to grow? Be efficient. It can be said, then, that efficiency is actually a universal tie that binds everything we do. In fact, I’d go so far as to say that checking on your efficiency is the universal equivalent of checking your pulse.

Want to know how you’re doing? Check your efficiency.

Let’s look at a real world example:

So what does your Authority Index say about you?

Naturally, it says how efficient you are!

At the 2009 SXSW, I did a quick little interview with my buddy Loren Feldman of 1938media. Despite the fact that I was massively hungover (note the sexy, drooping eyelids), I still managed to make a few good points about Thesis, the philosophy behind solid WordPress themes, and “social media,” which is the hottest, most unnecessary buzz phrase of the moment.

After spending nine months in Hollywood, I’ve learned that pretty much all of the fame-seeking prima donnas out here need a clue. Fortunately, that’s where I come in. Enjoy, and Max—earmuffs!¹

Want more Pearsonified? Follow me on Twitter!

Update: The Thesis Black Friday Sale has ended, and although it caused quite a frenzy, I have left this experience with a newfound distaste for sales. The last thing I want to do is mess with the psyche of potential customers, and sales have the ugly side effect of conditioning buyers into thinking that what you offer can always be had for less.

We’re having a Black Friday Sale over at DIYthemes, and from now until supplies run out, you can get Thesis at an unprecedented 20% discount. To cash in, simply enter the following coupon code when you purchase or upgrade:

edit: code removed because the sale has ended

When I say “until supplies run out,” I’m being completely serious. People who are great at promoting Thesis and explaining its benefits have already pimped this sale, and as I write this, there are literally only 94 out of 150 coupons remaining.

If you’ve been indecisive about getting Thesis and checking it out, right now is the absolute cheapest you’ll ever be able to get the theme.