What is a 'pharma hack'?

A pharma hack is an SEO-spam injection that uses your compromised WordPress site to rank pharmacy-related keywords — Viagra, Cialis, Levitra, Oxycodone, generic erectile-dysfunction drugs. The attacker exploits your domain's existing authority to push their drugstore pages in Google. The site owner usually finds out when search results for their domain start returning pharmacy listings.

Why does the spam only show on Google and not on my site?

The injection cloaks. A loader on the server checks the User-Agent and HTTP referrer. Googlebot sees the spam pages. Regular visitors see your normal site. That's why pharma hacks often go unnoticed for weeks — you only see them once Google emails a security warning or rankings collapse.

Will Google forgive my site after the pharma hack is removed?

Yes, once the spam is gone. I submit a reconsideration request to Google Safe Browsing as part of every cleanup and request indexation through Search Console. The bad URLs go to 404 and drop out of the index over the next crawl cycles. Most sites recover within a few weeks.

How does a pharma hack get in?

Almost always a vulnerable plugin or a leaked admin credential. WordPress core itself is rarely the entry point. Every cleanup identifies which it was and closes the hole — without that step, the same site gets re-infected through the same door within weeks.

Pharma hack · WordPress · cleaned

Pharma hack removal.

Manual removal of the pharma-hack injection. File, database, and sitemap cleanup. Entry vector identified. Google Safe Browsing reconsideration submitted. Flat $279.

Start a cleanup How the pharma hack works

Mechanism

Cloaked SEO spam, sitting in your files and your database.

The pharma hack is a long-running SEO-spam campaign. The attacker drops a PHP loader on the server and inserts spam content in the wp_posts and wp_options tables. The loader checks who is requesting each page and serves drugstore content only to Googlebot.

Two consequences: your domain's authority is hijacked to rank pharmacy keywords, and your own pages start ranking lower because the spam pages get crawled more often than yours.

// wp_options — autoloaded pharma payload

01 SELECT option_name, LENGTH(option_value) AS sz
02 FROM wp_options
03 WHERE autoload = 'yes'
04 ORDER BY sz DESC LIMIT 20;
05
06 // Unusually large autoloaded rows you don't recognise = inspect.
07 // Pharma payloads often live there, encoded.

What I remove

Every place the pharma hack hides.

File loader
Obfuscated PHP loader, removed by reading the file diff against a clean WordPress install.
wp_posts
Spam posts and drafts injected into the database — purged. Legitimate content untouched.
wp_options
Autoloaded payloads removed. Theme footer injections and feedwordpress-style spam options reviewed and cleaned.
Sitemap
Synthetic pharma URLs purged from sitemap.xml. Clean sitemap regenerated and resubmitted to Search Console.
Reconsideration
Google Safe Browsing reconsideration submitted. Search Console indexation requested for affected URLs.
Vector closed
I identify the plugin or credential that let the attacker in and close that door before signing off.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.