Rest assured, I have not started a pharmacy and am not promoting illegal drugs on my personal blog. Oh no, as I am a “No Drugs” type of person. I was the victim of the Pharma Hack. This virus changes your indexing on Google Search so when people search for your site instead of your blog entry title they get ads for pharmaceutical drugs. I was not happy about this. After many extensive changes in beefing up WordPress security, so far Google search has started to index me correctly. This might take a couple of months, so bear with me.
The Pharma Hack is very intelligent. Your content is not changed, and when you browse your own site you can detect no change. Search for your site on Google Search and your blog titles and short description will be changed to flogging pharmaceuticals. Search for these blog title changes and you will find none.
From what I have researched, this Pharma Hack is very common. Even spookier, no one knows how sites get infected. This makes prevention more difficult. Somehow some code is changed in one of your plugins and some extra PHP files are added to this plugin. When WordPress is loaded, this plugin is loaded along with this virus. Certain database changes are also changed.
I have checked with my host service provider. Their audit of my site shows no breaches of security and no unauthorized changes to my WordPress blog nor account.
This blog entry from Pearsonified helped me diagnose and immunize myself. Securi‘s tool did not detect the virus. DigWP recommended some really good plugins that hardens WordPress as well as reports file changes. The Ultimate Security Checker grades your site and recommends steps to increase your grade.
It is worth taking these remedial steps to harden your WordPress install. Having someone take destroy your hard work on Google Search really is disappointing. Google Search has already started to reindex my site, a big step in the right direction. A pox on all those that use the Pharma Hack on all unsuspecting and innocent WordPress authors.
Addendum Mar 14 2012: Found a cool tool to detect malicious or suspicious code.
Addendum Nov 28 2012: Taken from Pearsonified but a little easier for me to access:
-Click on the Search tab to search the wp_options table inside phpMyAdmin.
-Search the option_name field for the following rogue database entries:
wp_check_hash
class_generic_support
widget_generic_support
ftp_credentials
fwp
rss_% — Attention! In this case, you should delete all matches except rss_language, rss_use_excerpt, and rss_excerpt_length (these are legit WordPress database entries).
Hi, i think that i saw you visited my web site thus i came to “return the favor”.I’m trying to find things to improve my site!I suppose its ok to use a few of your ideas!!
Internet Safety