自言自语

I'm Wang Xianyuan, writing for myself, more studying, more experience…

How to recover wordpress from pharma hack 2014

By

What is wordpress pharma hack?

It is when your wordpress hacked in order to publish the hacker content instead of yours and display it on google search results. Especially in your pages that hit google first page, it specifically impact your SEO efforts.

And what make it worse from SEO point of view is that it shows google a different version of your page than you or others see when they visit your pages , which negatively impact your SEO , apart from injected wrong meta discretion which will show in your search results and reduce your click through rate.

So it means loss of money especially for large production site.

One important note is that although it is called “wordpress pharma hack” it is not necessary related to pharma in my case it was related to Casino poker games and other alike stuff.

Various games like slots and video poker of craps online are attracting many players. If you want to earn huge in a short amount of time, try our
poker card ..

So is there a good news ?

Actually yes , it is that this hack is not not destructive , i mean he can delete all your content and databse if he wish to , but it is strickly business he seeks only his benifits from your SEO efforts so he is not inteded to delete your stuff.

So , how to recover from wordpress pharma hack on 2014 ? ( or at least on my case , since i realize that there is many versions of the attack ) .

1. Start with your my sql database , export the table wp_options ( if you are using wordpress multisite it will be also on wp_10_oprions as well ) .

2. look into the rows of this table for strange encrypted values WHERE `option_name` like (“wp_data_newa”,”WP_CLIENT_KEY”)

3. if you find such data that is good ! , you start to find the trace of the attack now before you delete them there are some step to talk.

4. on the comments tables your probably have thousands of spam comments related to the attach , so it is a good idea to deny access to those IPs before you clean those spam comments , you can do this by selecting :

SELECT DISTINCT comment_author_ip
FROM `wp_3_comments`

And in case you have multisite you need to do union all select as follow :

(SELECT DISTINCT comment_author_ip FROM `wp_3_comments` )

union all

(SELECT DISTINCT comment_author_ip FROM `wp_4_comments` )

etc , tell you collect all distinct IPs of the attacker.

5. Once you have this blacklist IPs you need to deny them using your .htaccess file.

6. As you are visiting your .htaccess file to deny ips , it is also a good security practice to deny access to all countries which have a lot of bad hackers , to get the ip list of countries to deny please visit the site http://incredibill.me/htaccess-block-country-ips

and to know Top 10 Countries with most malicious networks visit this site

7. Gather all the above blacklist ips , make a copy of your .htaccess file and add the ips list to it.

8. Now back to the pharma hack you know now the rows you need to delete from the database which were in my case 2 rows on the wp_options table : wp_data_newa – WP_CLIENT_KEY we will use these exact values to know which plug in are infected on the file system useing this grep command

– Assume all your data are saved into public_html on a folder called ‘wpdata’ , so you need to grep the following (you may modify the command according to the hack values you found on the wp_options table) :

1) grep -rnw ‘wpdata’ -e “wp_data_newa”
2) grep -rnw ‘wpdata’ -e “WP_CLIENT_KEY”

9. The above grep should return some plug-in in your wordpress plug-ins folder so save the output to file, know the plug-in names and disable them.

10. on your file system level do rm -rf ( folders of the hacked plug-ins the you found in the above steps ) .

11. now you delete the infected files time now to clean the database using the following delete command :

DELETE FROM `wp_options`
WHERE `option_name` in (“wp_data_newa”,”WP_CLIENT_KEY”)

DELETE FROM `wp_3_options`
WHERE `wp_3_options`.`option_name` in (“wp_data_newa”,”WP_CLIENT_KEY”)

DELETE FROM `wp_4_options`
WHERE `wp_4_options`.`option_name` in (“wp_data_newa”,”WP_CLIENT_KEY”)

and so on till you clean all the wp_options table.

12. Once all the tables are clean and file system also is clean, you need now to change your cpanel , wp-admin and ftp passwords .

13. change the security key is the wordpress save on the wp-config.php file.

14. you need to install a plug in to lock the user who try to log in multiple times such as wordfence or wordpress better security.

15. if you are using wordpress multisite network it will be a wise decision to decrease the number of production sites per network to reduce the risk of such attacks.

16. During the above process it is always helful to export your database and open it into a decent editor such as notepade++ this will ease your life a lot when doing search for text pattern of the attack.

17. all the meta description hack keywords can be finds as words not phrases in the databes so if you export it into file you can do search and find the keywords that show in Google search results in the database export file.

18. it is time now to increase your wordpress security using some reference notes such as :

http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php

http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

19. this is also a good reference note lathough it is a bit old version of the attach :

http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

http://wordpress.org/support/topic/download-updateexe

link: http://www.nile7.com/how-recover-wordpress-pharma-hack-2014

Leave a Reply