The “Pharma” attack, first spotted (as far as I’m aware) by Chris Pearson is a new type of hack that makes no obvious changes to your WordPress site. Its only when you seach your site in Google that you can see the damage – phrases advertising drugs have been randomly inserted throughout each page.

See What it Does
Try these Google searches to see some of the 200,000 affected sites then click cached to see how the hack inserts random code throughout the page:

• “we always have special offers in our pharmacy”
• “we always offer lowest prices on internet”

Removal
Removal of the code is tricky and involves both file and database editing. Chris Pearson has written a detailed removal guide which is not for the feint-hearted.

Cleaning-Up at Google etc.
So once your site is fixed how do you clean you search results that still show the pharmacy text links? Although you can request the removal of individual URLs and Google’s malware warning page there’s no way that I’m aware of to get whole site reindexed so you’ll just have to wait patiently according to Google. Yahoo! and Bing have similar policies.

Mystery
It has yet to be discovered how the code infects your server but no doubt someone will post the answer soon.

Update:

It seems that the hack goes back as far as March 1st 2010, it just wasn’t known as the Pharma hack then.

• Video showing the Pharma hack
• Another guide to fixing the hack

See also

Posted on Saturday, April 17th, 2010 in: WordPress.