We know what the pharma hack does, but in order to eliminate it and to prevent attacks like this in the future, we need to know how it does what it does.I did the search for this particular string after seeing a post about it on wordpress.org. In that post, they describe exactly what we have been seeing on our plugin management page.If you have been constantly struggling with this, you likely have a hosting problem.I am surprised that such a large scaled hack can do all of this.Basically, the hack consists of two parts—malicious files in the WordPress plugins folder coupled with encrypted code in the WordPress database.Not to belabor on this comment but we have a bunch of research we did and definitive proof that when you keep on getting hacked, hosting is the issue.They had already changed the VPS, FTP, Database and Wordpress passwords and upgraded to the latest version of Wordpress.

Interestingly, the modified title tag and spammy links are only visible to search engines.Ultimately, WordPress is a good target for a hack like this because so many strong, high-ranking sites run it.The files in the plugins folder contain code that runs the encrypted code stored in the database.

Took me quite while getting it back up running and wrote to google for please include my site again.Evan, I blocked something like 180 different IP addresses while I was trying to remove the hack.Unfortunately, I did not discover this until after my site was hacked.You might have just saved my life, or kept me from spending thousands of dollars in psychology doctor expenses.I had one of my sites just go through this and I think I finally got it fix.The part about sneaking into your site to enjoy a hitch in highest-ranking page really gives me the creeps.And a third was in a file in wp-includes called script-runner.php (easily confused for the existing script-loader.php) and it had a heck of a mess that appears to have been doing much of the heavy lifting.Also, back when I ran AdSense, two of those three pages were the highest earners on the entire site (as far as PPC is concerned, anyway 1 ).

At least from my experience, there are far more steps involved to fully remove it.I will definitely keep an eye on this attack for my blog as well as those of my customers.B) Move your entire site to a staging server (localhost or a subdomain), clean it, and then push the clean version back to your live installation.On the first checkout screen, there is a link on the left that allows you to purchase with a credit card, and from this point on, the transaction will seem like any other online where you pay with a credit card.

Because of this, the pharma hack is dependent upon these rogue files in the plugins folder.Using this tool I could enter a URL that I knew was hacked and it would fetch it as the google bot.Came across this post, and we noticed the same thing happen for a cluster of sites we have hosted on one specific server.

If search engine traffic has dropped suddenly, you could have been removed from an index for some reason.I follow your recommendation of making and selling my own products as well as making affiliate sales of products I use and can recommend.I popped open the WordPress Admin itself and checked out a post.Mike, I bet Google is showing you cached versions of those pages but not telling you that the page is actually cached.

Sorry to bother you here but there is no email support on DIYThemes.The files themselves may claim to be older, but the folders will always tell when a new file is added.Therefore, in order to do a thorough diagnosis, you should check any plugin that was active at the time your site was hacked.WordPress website get hacked daily, there are a few tips and tricks that any website owner can employ post-compromise.I would prefer a server down time over having my blog(s) hacked by spammers any time of night or day.A full week goes by and just for kicks I check the sites on the analyzer again, and one of the sites had been hacked again.But random URL parameters that I found in Google Webmaster tools show the pharma stuff still if I search for the related obscure keywords in Google.None of the solutions in the post itself helped me, but one of the comments really did.

One was tweetmeme.tmp and one was akismet.tmp. Both files were 0 size.We mainly use Joomla as a CMS but do have a couple of Wordpress site that we have developed for clients.Dipankar, clearing your database is a major ordeal, and you do not want to clear the whole thing.

My question is when will this disappear for good, and when will i get my ranking back.I had my site hacked back in the beginning of May, and quickly fixed things.I will try the precautionary measures that you mentioned to make sure that everything is fine.There is a Viagra add on my website that I am having a really tough time finding out how to remove it.