If your WordPress site is suddenly full of external links that redirect you to sites with fake branded products or illegal medication, or your ‘index.php’ file has some suspicious modifications in it, then it’s possible that you’ve been affected by a WordPress pharma hack. These kinds of infections are infamous for their regenerating capability and intensity of damage, usually redirecting users coming from search engine results to pharma spam pages.
Often, these WordPress sites are left with lost SEO rankings, eventually getting blacklisted by Google with a ‘This site may be hacked’ warning screen that drives site visitors away.
WordPress Pharma hack – Real cases
In a WordPress pharma hack incident that happened, the user reported seeing JavaScript at the beginning of and the end of the website, and in the middle, some French text was displayed with reference to illegal medications like Viagra. As the user logged in each time, the core files and folders would change, causing concern about irreparable damage.
Users also reported that a mere search through the files didn’t bring out any malicious content, but they identified the presence of certain altered database tables in wp_post. Even though there was a security plugin functioning at the time that detected a SEO spam hack in the caching files from WP_Total_Cache, it was not able to protect the system against the change in files. The ‘.htaccess’ file was also affected, with several external redirects to so-called ‘harmless’ websites within the French text.
Security experts suggested that the hack happened despite the presence of a security plugin probably due to the nature of the attack, issues within the system itself, or vulnerabilities used on the site that were beyond its capacity. The occurrence of the hack despite the security measures taken have a few possibilities – other sites could be hosted on the same server and been infected by the same issue, severe vulnerabilities, the ‘wp-config.php’ file was easily accessible to hackers directly through your account or indirectly through vulnerable plugins or other hacked sites.
The database could also have been accessible through another user’s due to lack of adequate separation between both. All of these loopholes provided the hacker with the opportunity to gain root access and manipulate the site according to their requirements. Eventually, some of the affected site owners had to pay for extra backup, obtain a clean version of their site, and restore the entire thing.
Removing the Pharma hack
If you choose to manually clean up the hack, the first step as always is to secure a back-up for restoration purposes.
- Remove files from the plugin directory
Go onto your web hosting server, the cPanel, and then the ‘File Manager’. Under this, you’ll find the folder ‘public_html’ which contains the three main files of your WordPress site – ‘wp-admin’, ‘wp-content’, and ‘wp-includes’.
‘Wp-content’ will have a series of internal files, especially those of the plugins installed on the WordPress site. Here, we’ll check for outdated plugins because these are commonly the sources of infections. Check the default files of each plugin, including the hidden ones, for anything suspicious. Delete files that seem problematic or beyond the default ones.
- Checking database entries
Under cPanel, there’s ‘phpMyAdmin’ which has the ‘wp_options’ table. There, certain database entries need to be deleted using the code given.
After Clean-up
Just because it has happened once, doesn’t mean it won’t occur again. Therefore, it is the site owner’s responsibility to identify the loopholes that caused the hack, permanently deal with these and other possible vulnerabilities that can cause such hacks in the future.
Here are a few steps that can be taken to implement this;
- Never forget your updates
Your security strategy’s foundation is the regularity of updating the WordPress platform, plugins and extensions. The latest versions contain security patches released by developers and security experts as soon as they identify issues that can be exploited by hackers. The bad news is that those who don’t update become easy targets for hackers.
- Install a web application firewall (WAF)
This ensures your network security, regulates your website traffic and monitors all aspects for the protection of the site, server, files, and individual computers. Acting as a barrier to entry, it regulates what comes in to make sure it doesn’t compromise your security.
- Change login credentials
All username and password combinations that you’ve used throughout the WordPress platform need to be changed after a pharma hack situation – FTP, SFTP, wp-admin, etc. There’s always a possibility of reinfection. Also ensure that these credentials fit the norms for security of the site.
A pharma hack, or any other hacking attempt, can always be a crucial point of revamping as it can determine whether your site will completely fall to hackers or stay strong and renew its security barriers to prevent such incidents from happening. Security experts like Astra Security are always at your beck and call to make sure the latter happens!