In March our site was hacked and we were unaware of the hack for about 4 weeks. There has been some damage done to our domain, but we hope this is just temporary, but with most things time will tell. Other than that the hack has been resolved so I wanted to explain a little more about the hack just incase your website falls foul of it. The hack turns out to be the so called “WordPress Pharma Hack”.

What is the WordPress Pharma Hack

Basically, what this hack did was create webpages on the domain dougyhunt.uk which contained content about pharmaceutical products and linking to a pharmacy website in Canada. These pages were rendering to search engine crawlers only and not to the public or administrators. This meant, to the team here at ENM or the viewing public, that everything was business as usual. However, to Google, Bing, Yahoo, etc, the website was linking to this Canadian online pharamacy.

You couldn’t visit the pages as they redirected straight to the Canadian pharamacy site but I managed to pull out the cached version from Google of a few of the pages.

Google cached WordPress Pharma Hack

The below is a cached version of the Viagra page.

viagra

What else did Google see?

Well Google was actually ranking some of these pages, that’s how we first notices the hack actually. Below are some screenshots from Google SERP results.

Screen Shot 2015-04-11 at 10.40.50

Screen Shot 2015-04-11 at 10.40.54

Screen Shot 2015-04-11 at 10.40.59

Screen Shot 2015-04-11 at 10.41.04

What was the Canadian Pharmacy site like?

In good fashion, we got a screenshot of the Canadian pharmacy site.

screencapture-bestbuypills-us-product-Levitra-html-1428745314676

How did we fix the hack?

Ok so fixing the hack. We first deleted all the plugins. Then we used Sucuri to scan the site. However, after all our search we couldn’t get rid of all the problems. As a major change we decided to move hosting provider to a Managed WordPress Host. We moved to WPEngine. In doing this they manually scan, isolate and delete any infected files. The team at WPEngine provided a report, this is what they found:

“CLEARED: Cleared malware from file: ./wp-content/uploads/2014/07/index.php. Details: php.backdoor.filesman.001.009”
“CLEARED: Cleared malware from file: ./wp-content/themes/theme.php. Details: php.backdoor.filesman.002.002”
“OK: Hardening ./wp-admin/setup-config.php on WordPress”