Skip to content Skip to sidebar Skip to footer
Home / Gadget

How to Overcome WordPress Pharma Hack

WordPress lock

WordPress is divided into two parts, namely WP Blog Builder and WP Self Hosting, both of which have many differences from features to security benefits. WordPress self hosting is much easier for hackers because plugins or themes have open loopholes. This has many factors that lead to WordPress being hacked by other people. It could be that the person is taking advantage of the server by hiding the back door so that person can enter, or further than expected. Of course, having a website of your own doesn’t want other people to step in because you will know the symptoms that end up occurring.

The types of things that cause a WordPress site to be hacked are most of them: Plugins and Themes. Basically, WordPress has offered its users so much security that nothing goes wrong. The most common examples are SQL injection, file upload (bypass) and download of the WP configuration file (bypass). There is also most of it alone XSS This can sometimes lead to the site server experiencing excessive data transfer downwards (DDOS technique). Perhaps from some of these things it can be calculated that once someone has entered the server they will surely be able to manage the contents of the file in the database. And if it’s been a long time, the person would have a new method called “Pharma hack“.

This WordPress Pharma Hack is actually hard to tell if it is a person or a robot as it causes casino, blackjack and other weird things. Which, in my opinion, can be done by both robots and humans. It’s also not easy to solve, it takes several steps, and it involves databases and other things like plugins and themes. It is also easy to find out that a website has been affected by Pharma Hack, as this can be done with google dork. Okay, here are some steps to take if your website is hacked by the Pharma method.

STEP 1
First, find out some of the sites that have been exposed to this method by searching Google with this dork. site: yoursite.com (**Change your Site.com to a hacked pharma site). For example, Google displays a kind of URL like this one. “site.com/?p=casino-online or site.com/play-blackjack-online/ and the like. “Please click on the page and see what happens in it. If it contains posts (articles), please see the difference to your site, whether there is a difference or not. The meaning of different can be the text from recent articles, comments or links to the archive / category. If different means it has something to do with the plugin cache. If you open the page from Google beforehand and it looks like it is an iframe / an Embed from another website, it means it has nothing to do with the plugin cache. To resolve this cache issue please read step 2.

STEP 2
Now to deal with the plugin cache, you can go to where the cached pages are stored in the plugin you are using. An example for the W3 Total Cache plug-in, please go to this directory “/public_html/wp-content/cache/page_enhanced/yoursite.com/“. Look into the directory, then there is a folder called casino-online and the like, please delete everything, and be quiet, this is just a cache file, you can reset it on the admin menu page for a new cache from emptying the cache or clearing the cache via dashboards. Now look at the page, it’s definitely still there, like an iframe or an embed from another site. And it has to do with the database. To solve it, you see please in step 3.

STEP 3
Now open PHPMyadmin via cPanel and open the table wp_options and look for line client_data_run by field option_name. If so, delete it by running the code below.

DELETE FROM `wp_options` WHERE `option_name` = 'client_data_run';

Still not done, please delete option_name 1 also because it contains a code in the form of base64 combined with rot13. To remove it, please run the code below.

DELETE FROM `wp_options` WHERE `option_name` = ‘1’;

STEP 4
This is the final step where you need to look for the common PNG (pseudo) files not far on the function.php file in the theme that you use. Most of the files found have a file name social.PNG, please correct one after the other and look in the file. If you find them, delete them immediately.

Please perform the above four methods carefully. Even if there is a PNG file, the file can be a bad thing later on on your website as there are codes in that file that are entered into the database in the wp_options section of option_name “1”. And the appearance of the iframe or the embedding of the site can be seen in the value in the wp_options table, in the option_name “client_data_run” there will be some kind of HTML code for the appearance of the manipulated page. If you do not disable error_log, take a look at the error_log file and you will see suspicious activity from the database, inserting a lot of coding codes. Hurry up to address this as the pages affected by this method also depend on the SERPs. I suggest doing it quickly because I saw it myself on my other WP blog because the server I am using has been hacked by someone else. If you have any questions about any of the above, please comment.

Hopefully useful and good luck