Pharma hack: remove the pharmacy spam

You search for your site in Google and you land on titles like “Buy Viagra Online,” “Cialis without prescription,” or the names of online pharmacies, all shown under your domain. In your WordPress dashboard, there’s nothing: none of those pages exist. This is the pharma hack, an SEO spam injection that hijacks your search ranking to sell medication. The reason you don’t see anything on the admin side is no accident: the content is served to Google first, not to you.

what the pharma hack is

The pharma hack belongs to the same family as casino spam: an SEO spam injection. An attacker uses your domain’s authority to push pages up in Google that they couldn’t get ranked anywhere else. The difference is the payload. Here it’s pharmacy keywords: Viagra, Cialis, Levitra, generics, weight-loss pills, no-prescription pharmacies. The infection engine is the same, only the pushed content changes.

If you’re finding casino, sports betting, or slots titles instead, you’re looking at the same attack with a different payload. The diagnosis and cleanup follow the same logic, but the keywords to search for differ: see the casino and betting variant of the same hack.

The attacker’s goal is purely commercial. Selling medication online without a prescription is illegal, so it can’t be ranked normally. Your site, on the other hand, already has a reputation with Google. The hacker borrows it. As long as their pills stay indexed under your name, they make money, and they have every reason to reinject the spam the moment you wipe it.

why it’s invisible in your admin

That’s the trap of the pharma hack: your site looks normal when you visit it, but Google sees a pharmacy site. The injected code performs cloaking, meaning it serves different content depending on who requests the page.

In practice, the malicious code looks at the visitor’s User-Agent and IP address. If the request comes from Googlebot, it returns a page stuffed with pharmacy keywords. If it comes from you, a logged-in administrator, or a regular visitor, it returns your real page. The spam exists all the time, but it only shows up for indexing bots.

The injection is often conditional and touches only certain elements:

• the <title> tags and meta description, rewritten for Googlebot with pharmacy terms;
• hidden link blocks added at the bottom of the page, sometimes with display:none or pushed off-screen;
• entire pages generated on the fly from booby-trapped URLs, which exist nowhere in your interface.

The result: your back office looks clean, your homepage looks clean when you view it, and yet Google indexes hundreds of pages of pills. Trusting what WordPress shows you gives a false sense of safety.

where the code hides

The pharma hack lodges itself in several places at once, and that’s what makes it stubborn. Common spots:

• The wp_options table. Serialized options containing code or lists of pharmacy keywords, sometimes under harmless-looking names. It’s a classic hiding place because few people go digging through this table.
• The active theme’s header.php or footer.php. A few lines of PHP inserted right at the top or bottom of the file, injecting the spam into every page served to Googlebot.
• The .htaccess. Rewrite rules that redirect bots to the pharmacy content or that trigger the injection based on the User-Agent.
• Core files. On deeper infections, code is added to wp-load.php, index.php, wp-blog-header.php, or files in wp-includes/. This is the worst case because it survives a simple theme cleanup.
• Database entries. Fake posts or pages in wp_posts, with a manipulated status or author so they don’t show up in the standard list.

As long as a single one of these points stays in place, the spam regenerates. The visible code is only the tip of the iceberg: there’s almost always a backdoor that lets the attacker rewrite everything remotely.

how to detect it

Since the admin lies, measure from the outside, in Google’s place.

• site: search. Type site:yourdomain.com viagra or site:yourdomain.com cialis into Google. If results come up, the infection is confirmed and you can see its scale. Try pharmacy, pills, prescription too.
• The Search Console URL Inspection tool. Paste a suspect URL into the inspection tool, then view the version crawled by Google (“rendered HTML”). There you’ll see the content actually served to Googlebot, cloaking included, where your browser would show nothing.
• Simulate Googlebot. With a browser extension that changes the User-Agent (or the developer tools, Network tab, “User-Agent” condition set to Googlebot), reload a page and compare the source. If the <title> or the bottom of the page fills up with pharmacy terms when you pretend to be Google, the cloaking is exposed.

# Quick command-line test
curl -A "Googlebot" https://yourdomain.com/ | grep -iE "viagra|cialis|pharmacy|pills"

If this command returns pharmacy keywords when a normal visit shows none, you have proof of the cloaking.

• Search Console reports. The Indexing report shows an abnormal spike in indexed pages. The Security & Manual Actions section often flags “Hacked content” or “Deceptive pages.”

how to clean it

The principle: remove the injected code everywhere, cut off the entry point, then bring Google back into the loop.

Back up the files and the database first. Any manual deletion can break the site, and a backup gives you a way back.

1. Find and remove the injected code. Inspect the active theme’s header.php, footer.php, and functions.php: delete any PHP block you didn’t write, especially code encoded with base64, eval(), or gzinflate(). Compare your theme files against a clean version if you have one.
2. Clean the .htaccess. Remove the conditional rewrite rules tied to the User-Agent or to search engines. Keep only the standard WordPress block.
3. Clean the database. In wp_options, look for options with suspicious content (pharmacy keywords, serialized code). In wp_posts, list and then delete the fake posts. Always start with a read query:

SELECT ID, post_title, post_status, post_type
FROM wp_posts
WHERE post_title LIKE '%viagra%'
   OR post_title LIKE '%cialis%'
   OR post_content LIKE '%pharmacy%';

Confirm the results really are spam before deleting, and adjust the wp_ prefix if yours is different (for example wp_a1b2_).

4. Remove the backdoor. Look for recent or oddly named PHP files at the root, in wp-content/uploads/ (where legitimate PHP never belongs), and in wp-content/. Without this, the spam comes back within days.
5. Reinstall the core if system files are affected. If the injection reached wp-load.php, index.php, or wp-includes/, don’t fix it line by line: replace the entire core with a clean official version matching your exact version number.
6. Change the passwords for admin, database, and FTP/SFTP once the code is clean, otherwise the attacker logs back in the way they came.

requesting reindexing

Once the site is clean, the pharmacy spam stays in Google’s index for a few days to a few weeks. To speed up the return to normal:

• check that the hacked URLs really return a 404 or 410 error;
• in Search Console, use the Removals tool to quickly hide the most visible pages;
• if Google had placed a security warning, fix everything and then request a review.

If your site already shows the red “This site may harm your computer” screen, follow the dedicated procedure to remove the Google warning.

FAQ

Why do I see medication ads in Google but not on my site? Because of cloaking. The injected code serves the pharmacy content only to Googlebot and shows you your real page. Check with the Search Console URL Inspection tool or by simulating the Googlebot User-Agent.

Are the pharma hack and casino spam the same thing? It’s the same attack, an SEO spam injection, with a different payload: medication on one side, gambling on the other. The cleanup method is identical, only the keywords to search for change.

Why does the spam come back after I delete it? Because the backdoor is still there. Removing the pages without cutting off the entry point is like mopping up a leak without closing the valve. You have to purge every infected file and change the passwords.

---

If you’d rather not handle phpMyAdmin, the .htaccess, and the core files yourself, WP-Detox takes care of it. The free scan measures the real scale of the infection, cloaking included, then the cleanup takes about 30 minutes: removing the injected code, cleaning the database, deleting the backdoor, and reinstalling the core if needed, with a full backup before any action. All-in at €149, refunded if we can’t fix your site. For the overall steps, see also the complete guide for when WordPress is hacked.