The spam that lives inside your own pages
The pharma hack does not create new pages on your site. That is what makes it different from the Japanese keyword hack, which generates thousands of separate spam URLs. The pharma hack is more subtle. It injects pharmaceutical spam directly into your existing pages — your homepage, your about page, your blog posts, your product pages. The spam is there right now, embedded in your HTML, on pages you visit every day. You just cannot see it.
The injected content is hidden using one or more techniques. The most common is CSS — the spam is wrapped in a <div> with style="display:none" or style="position:absolute;left:-9999px". Your browser renders the page and skips the hidden content. You see your normal page. But when Google's crawler reads the HTML, it sees everything — including the hidden text. Google indexes the pharmaceutical keywords, associates them with your domain, and starts showing them in search results.
Other hiding techniques are more sophisticated. Server-side cloaking checks the user agent of each request. If it is Googlebot, the server injects the pharmaceutical content. If it is a regular browser, it serves the clean page. This means the spam is not even in the HTML when you view source — it only appears when the server detects a search engine crawler. You can view source all day and find nothing.
The attackers know exactly what they are doing. They are not trying to deface your site or steal your data. They want your domain authority. A legitimate business website with years of search history, genuine backlinks, and good domain trust will rank pharmaceutical spam far better than a newly registered spam domain. Your site is their free advertising platform, and the longer it takes you to discover the hack, the more value they extract.
How the pharma hack gets into your site
Vulnerable plugins and themes
The most common entry point is an outdated plugin or theme with a known vulnerability. Attackers scan millions of WordPress sites looking for specific plugin versions with published exploits. If your site runs a vulnerable version — even if you have not used the plugin in months — the attacker can exploit it to inject code into your files or database. The WordPress security team publishes security advisories, but many site owners never check them.
Weak administrator credentials
Brute-force attacks against wp-login.php run constantly. Automated tools try thousands of username and password combinations. If your admin password is predictable — your business name, a dictionary word with numbers, or a password you use on other sites — it will be cracked. Once the attacker has admin access, they can modify theme files directly through the WordPress editor or install a backdoor plugin that injects the spam.
Compromised hosting environment
On shared hosting, a compromised site can sometimes access files belonging to other sites on the same server. If your hosting neighbour gets hacked and the server is poorly configured, the attacker can pivot to your WordPress installation. This is one reason managed WordPress hosts with proper isolation are worth the premium.
Where the pharma spam hides
In your theme files
The attacker modifies header.php, footer.php, or functions.php to output hidden pharmaceutical content. The injected code is often obfuscated — wrapped in base64_decode and eval() calls that make it look like random characters rather than readable PHP. When the theme loads, the obfuscated code decodes and outputs the spam content into the page HTML. You would need to decode the base64 string manually to see what it actually produces.
In the WordPress database
The spam can be injected into the wp_posts table — appended to the content of your existing posts and pages. It can be stored in wp_options as a widget or a custom setting that outputs content in the sidebar or footer. It can be stored in custom fields that your theme displays. Database-stored spam survives theme reinstallation and file scanning, which is why many site owners clean the files but find the spam returns immediately.
In WordPress core files
Some pharma hacks modify files in /wp-includes/ — the core WordPress files that run on every page load. They might add a few lines to wp-includes/version.php or wp-includes/load.php that include a remote payload. These files are rarely checked by site owners and are not flagged by basic file integrity tools that only compare checksums against the current WordPress version.
In .htaccess with cloaking rules
The .htaccess file can contain rewrite rules that check the user agent string. When Googlebot requests a page, the server serves a version with pharmaceutical content injected. When a regular browser requests the same page, the server serves the clean version. This server-side cloaking is the hardest variant to detect because the spam never appears in your browser — not even in the HTML source.
What Google sees versus what you see
This is the core of the pharma hack. You and Google are looking at the same URL but seeing different content.
What you see: Your normal homepage. Your logo, your navigation, your content, your footer. Everything exactly as you designed it. No pharmaceutical text anywhere.
What Google sees:Your normal homepage plus hundreds of lines of hidden text. Links to online pharmacies. Keywords like "buy viagra online," "cheap cialis," "online pharmacy no prescription," and "discount pharmaceuticals." These keywords appear in hidden divs, in tiny text the same colour as the background, or are served exclusively to the crawler via server-side cloaking.
Google indexes all of it. Your site's title tags and meta descriptions in search results start showing pharmaceutical terms. A potential customer searches your business name and sees "Buy Cheap Viagra — yourdomain.com" in the results. Your brand is now associated with pharmaceutical spam in the minds of anyone who sees it.
Google's systems eventually detect the cloaked content. When they do, they may apply a manual action — a penalty that suppresses your entire site in search results. The Google Search Essentials spam policies explicitly prohibit cloaking and hidden text. Recovering from a manual action requires cleaning the hack, submitting a reconsideration request, and waiting days to weeks for Google to review it. During that time, your legitimate pages are suppressed too.
The SEO damage goes deeper than you think
The visible damage is pharmaceutical spam in your search results. But the hack causes deeper harm that persists even after cleaning.
Backlink contamination.The spam pages and links generate backlinks from other spam sites in a link network. These toxic backlinks point to your domain and are difficult to remove. Even after cleaning the hack, these backlinks drag down your domain authority. You may need to use Google's Disavow Links tool to tell Google to ignore them.
Trust score degradation.Google's algorithms factor in a site's history. A domain that was caught serving cloaked pharmaceutical spam loses trust. Even after cleaning, your rankings may not fully recover for months. Pages that ranked on page one before the hack may drop to page two or three.
Brand reputation damage.Customers who search your brand name and see pharmaceutical spam do not think "oh, they were hacked." They think your site is dodgy, unprofessional, or unsafe. That impression does not go away when the hack is cleaned. The damage to your brand perception is real and lasting.
How to check if your site is infected right now
Search Google for pharma terms on your domain
Open Google and search: site:yourdomain.com viagra. Then try site:yourdomain.com cialis, site:yourdomain.com pharmacy, and site:yourdomain.com prescription. If any results appear, your site is infected. Also try site:yourdomain.com buy cheap — the spam often uses these commercial terms.
View your page source and search for hidden content
Right-click on your homepage and select "View Page Source." Search for "viagra," "cialis," "pharmacy," and "display:none." Look for large blocks of hidden text — divs positioned off-screen or styled with zero font size. Check multiple pages, not just the homepage. Some pharma hacks only inject into specific pages.
Check Google Search Console
Log into Google Search Console and check: the Performance report for impressions on pharmaceutical queries you never targeted, the Security Issues section for any manual actions, and the Links report for incoming links from suspicious pharmaceutical or spam domains.
Fetch as Googlebot
Use Google Search Console's URL Inspection tool to see how Google renders your pages. If the rendered version contains pharmaceutical content that your browser does not show, the hack is using server-side cloaking. You can also use curl on the command line with Googlebot's user agent to see what the server sends to crawlers: curl -A "Googlebot" https://yourdomain.com.
How to clean the pharma hack
Step 1: Full backup before anything else
Back up your entire site — files and database. Store it off-server. If cleaning goes wrong, you need to be able to restore. The backup also serves as evidence of the hack for Google's reconsideration process.
Step 2: Scan and clean all theme files
Download your active theme and search every PHP file for base64_decode, eval(, gzinflate, str_rot13, and preg_replace with the /e modifier. Compare each file against a fresh copy from the theme developer. Pay special attention to header.php, footer.php, functions.php, and any file with a recent modification date you did not cause.
Step 3: Replace WordPress core files
Download a fresh copy of your WordPress version from wordpress.org and replace the wp-admin and wp-includes directories entirely. This eliminates any malware hidden in core files without affecting your content in wp-content.
Step 4: Clean the database
Search the wp_posts table for pharmaceutical keywords — "viagra," "cialis," "pharmacy," "prescription." Check post content, post title, and post excerpt fields. Search wp_options for the same terms. Check widget content. Check custom fields in wp_postmeta. Remove any pharmaceutical content you find, but be careful not to corrupt legitimate post content — the spam is often appended to the end of real content.
Step 5: Clean .htaccess
Replace your .htaccess with the default WordPress rules. If you had custom rules for caching, security, or redirects, add them back one at a time, verifying each one is legitimate. Look for rules that check user agent strings — these are almost certainly part of the cloaking mechanism.
Step 6: Remove backdoors and unknown users
Check for admin accounts you did not create. Search the file system for recently modified PHP files, especially in /wp-content/uploads/ (PHP files should never be there). Look for files with random-looking names like wp-tmp.php, cache.php, or class-wp-cache.php in unexpected locations.
Step 7: Reset everything
Change all passwords: WordPress admin, FTP, database (update wp-config.php), hosting panel. Generate new WordPress security salts from the WordPress salt generator and replace the old ones in wp-config.php. Update all plugins and themes to the latest versions. Delete any plugins or themes you are not actively using.
Step 8: Request Google reconsideration
Submit a clean sitemap in Google Search Console. Use the URL Removal tool for any spam URLs still showing in search results. If you have a manual action, submit a reconsideration request explaining what happened and what you did to fix it. The review can take weeks. Refer to the Google hacked site documentation for the full reconsideration process.
How Uptrue keyword monitoring detects the pharma hack
The pharma hack is designed to be invisible to the human eye. But Uptrue's keyword monitoring does not use eyes. It reads the raw HTML of your pages — the same HTML that Google reads. If pharmaceutical terms appear anywhere in your page source, keyword monitoring catches them.
Step 1: Monitor for pharmaceutical keywords
- Sign up at uptrue.io/signup (free plan available)
- Click Add Monitor from your dashboard
- Select Keyword as the monitor type
- Enter your homepage URL
- Set the keyword to "viagra"
- Set the check type to "Page must NOT contain"
- Set the check interval to 1 minute
- Configure alerts — Slack, email, or Microsoft Teams
Repeat for additional pharmaceutical terms: "cialis," "pharmacy," "prescription," "buy cheap." Each monitor checks the HTML source of the page — not just the visible text. Even content hidden with display:none is in the HTML source and will be detected.
Step 2: Monitor your expected content is intact
- Add another Keyword monitor for your homepage
- Set the keyword to your site name, tagline, or a phrase that always appears on your page
- Set the check type to "Page must contain"
- Set the interval to 1 minute
This is your safety net. If the hack modifies your content, removes your page elements, or replaces your page entirely, this monitor detects it. It catches not just the pharma hack but any form of content injection or defacement.
Step 3: Monitor multiple pages across your site
The pharma hack can inject content into any page — not just the homepage. Monitor your most important pages individually:
- Homepage
- About page
- Top landing pages by organic traffic
- Blog posts that rank well in Google
- Product pages (if running WooCommerce)
Step 4: Set up alerts for immediate response
Every day the pharma hack runs, more pharmaceutical keywords get indexed under your domain and your SEO reputation degrades further. Fast detection means fast cleanup means less long-term damage.
- Slack — instant alert in a dedicated security channel
- Microsoft Teams — immediate visibility for your team
- Email — backup notification with a written record
- Webhook — trigger automated incident response workflows
Check if your WordPress site has hidden pharma spam
Instant health score across uptime, SSL, DNS, security headers, and content integrity. Catch pharmaceutical spam before Google does.
Check Your Website ScorePreventing the pharma hack
Keep everything updated
The number one entry point is vulnerable plugins. Update WordPress core, plugins, and themes the day updates are available. Enable auto-updates for minor releases. Delete any plugin or theme you are not actively using — inactive plugins are still exploitable.
Use strong, unique passwords
Every WordPress admin account should have a password that is at least 16 characters, randomly generated, and unique to that site. Use a password manager. A compromised password on one site should never give an attacker access to another.
Enable two-factor authentication
Even if an attacker obtains your password through a data breach or brute force, two-factor authentication stops them from logging in. This single measure blocks the majority of credential-based WordPress attacks.
Disable the WordPress file editor
Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php. This prevents anyone — including an attacker with admin access — from editing theme and plugin files through the WordPress admin panel. If they cannot edit files through the UI, they need FTP or SSH access, which is a much higher barrier.
Install a security plugin with file integrity monitoring
Plugins like Wordfence compare your core files against the official WordPress repository and alert you when a file has been modified. This catches injected code in theme files and core files. Combined with regular malware scans, this gives you an early warning that something has changed.
Check Google Search Console weekly
Make it a habit. Check for unexpected impressions on pharmaceutical queries. Check the Security Issues section for manual actions. Check the Links report for incoming links from spam domains. Google Search Console is your early warning system for SEO-based attacks — but only if you actually look at it.
Your site might be selling Viagra right now and you would not know
That is the entire design of the pharma hack. It hides from you. It hides from your visitors. It shows itself only to Google, because Google is the one that will rank the pharmaceutical content and send traffic to the attacker's affiliate links. By the time you discover it — by the time a customer sends you a screenshot, by the time your rankings drop, by the time Google applies a manual action — the hack has been running for weeks or months.
Uptrue keyword monitoring reads the raw HTML of your pages every 60 seconds. If pharmaceutical terms appear anywhere in the source — in hidden divs, in tiny text, in injected scripts — you know in under a minute. Not in weeks. Not when a customer tells you. Not when Google penalises you. In under a minute.
Detect hidden pharma spam and SEO hacks automatically
Free plan available. Keyword monitoring that scans your actual page HTML. Instant alerts on Slack, Teams, or email. No credit card required.
Frequently asked questions
What is the WordPress pharma hack?
The WordPress pharma hack is a type of SEO spam attack where hackers inject hidden pharmaceutical keywords and links into your website. The injected content promotes Viagra, Cialis, online pharmacies, and similar products. The content is cloaked — hidden from normal visitors and site administrators using CSS, JavaScript, or server-side user agent detection — but fully visible to search engine crawlers. The attacker uses your domain authority to rank their spam content in Google search results.
How do I know if my WordPress site has the pharma hack?
Search Google for: site:yourdomain.com viagra OR cialis OR pharmacy. If you see results containing pharmaceutical terms in the title or description, your site is infected. You can also check by viewing the source code of your pages and searching for hidden divs or spans with pharmaceutical keywords. Check Google Search Console for unexpected impressions on pharmaceutical queries. The hack is designed to be invisible when you browse your site normally — you have to actively look for it in the source code or in search results.
Can uptime monitoring detect the WordPress pharma hack?
Standard HTTP uptime monitoring will not detect the pharma hack because the site continues to return 200 OK responses and loads normally for visitors. However, keyword monitoring can detect it. Uptrue keyword monitoring checks the actual HTML content of your pages. By setting up a monitor that alerts if pharmaceutical terms like "viagra," "cialis," or "pharmacy" appear on your pages, you catch the hack even when it uses CSS to hide the text from visual display. The keywords are still in the HTML source code.
How do I remove the pharma hack from WordPress?
Start with a full backup. Then search all theme files for injected code — pharma hacks commonly target header.php, footer.php, and functions.php. Search the database for pharmaceutical keywords in post content, widget areas, and options. Check .htaccess for rewrite rules that serve different content to search engine crawlers. Replace all WordPress core files with fresh copies from wordpress.org. Remove unknown admin users. Reset all passwords including FTP, database, and hosting panel. Regenerate WordPress security salts. Update all plugins and themes. Install a security plugin and enable two-factor authentication.