DEV Community

MD Pabel
MD Pabel

Posted on • Originally published at mdpabel.com on

WordPress Pharma Hack: How to Remove Cloaked Pharmaceutical Spam

#cybersecurity #security #tutorial #wordpress

If you have noticed your site ranking for keywords like Viagra , Cialis , or other pharmaceutical terms — but the website looks completely normal when you visit it — you are likely dealing with a WordPress pharma hack.

This is a form of SEO spam cloaking. The malware shows one version of the site to normal visitors and a different, spam-filled version to search engines. That is why site owners often say, “I can’t see anything wrong,” while Google is indexing pharmaceutical junk under their domain.

I’ve cleaned 4,500+ hacked WordPress sites , and this is one of the most frustrating infection patterns because it damages search visibility long before the site owner understands what is happening.

In this case, the infection was tied to a malicious file named settings-functions.php hidden inside the active theme. But the bigger lesson is not just that one filename. It is how pharma spam malware uses cloaking, fake functionality, and database persistence to poison search results while staying hidden from the owner.

If you are still trying to confirm whether your site is hacked, start with how to detect WordPress malware. If you already need help, see my WordPress malware removal service.

Quick Answer: What Is a WordPress Pharma Hack?

A WordPress pharma hack is an SEO spam infection that injects pharmaceutical keywords, links, or pages into your site — often in a way that only search engines can see.

Common symptoms include:

  • your domain ranking for Viagra, Cialis, Xanax, or other drug-related terms
  • Google search results showing spam titles or descriptions that you cannot see on the front end
  • strange indexed URLs or hacked pages appearing in Search Console
  • the site looking normal to you but not to Google

This is closely related to other cloaked SEO spam infections like the Japanese keyword hack and the hidden link patterns I covered here: Hidden Links Malware: SEO Spam Detection and Cleanup.

The Symptoms: Pharmaceutical Spam in Google, but Nothing Visible on the Site

In this case, the client reported that Google was associating their site with pharmaceutical scams, but the homepage looked normal and there were no obvious spam blocks on the front end.

That symptom matters.

When spam shows up in Google but not in a normal browser session, cloaking should move near the top of your suspect list. The malware is likely checking who is visiting and deciding what content to serve.

That is exactly what happened here.

Using a manual review plus malware scanning, I identified a suspicious file hidden inside the active theme folder:

wp-content/themes/hello-elementor/includes/settings-functions.php
Enter fullscreen mode Exit fullscreen mode

The filename sounded legitimate enough to be ignored. The code inside was not.

Malicious settings-functions.php file used in a WordPress pharma hack cloaking infection

Why This Post Wasn’t Getting More Traffic

Before I show the malware breakdown, it is worth explaining why a post like this can underperform in search.

The old version focused too early on the specific filename and the internal class names. That is useful for forensic analysis, but most site owners are not searching for settings-functions.php or SimpleCache.

They search for symptoms like:

  • WordPress pharma hack
  • Viagra spam in Google
  • site looks normal but Google shows spam
  • pharmaceutical spam cloaking

So this updated version is built around the real user intent first, then the malware variant second.

How This Pharma Spam Malware Worked

This malware tried to look like a harmless caching component, which is a common trick in real WordPress infections. The goal was to look boring enough that nobody would question it.

1. It used obfuscation to hide the real logic

At the top of the file was a class called _keys. That class acted as a decoder. The malware used encoded strings and decryption logic to hide the real commands, domains, and payloads from simple text searches.

That matters because many site owners and even some junior developers still search for obvious words like “Viagra” or a known spam domain in the file system. With this kind of obfuscation, those strings do not appear in plain text until the malware decodes them at runtime.

2. It disguised itself as a normal caching component

The main payload was wrapped inside a class called SimpleCache. Even the comments tried to make it look like a normal caching file. That is exactly the kind of camouflage attackers use when they want malware to survive a quick visual inspection.

3. It used cloaking to show different content to bots and humans

The most important part of the code was the bot-detection logic. In this sample, the malware checked the visitor’s user agent. If the request appeared to come from Googlebot, Bingbot, or another crawler, the malware fetched spam content from a remote source and injected it into the page.

Human visitors saw the normal site. Search engines saw the spam.

That is why your SEO can collapse while the site still looks normal in your own browser.

4. It also touched the database

This was not just a file-based infection. The code also initialized its own database structures for storing settings, tasks, and cached spam data. That is one reason pharma hacks often survive surface-level file cleanup.

If you remove the visible file but leave the database payload or related persistence points behind, the infection may come back or continue poisoning search results. That is why this guide pairs naturally with how to scan and clean your WordPress database for hidden malware.

How to Confirm a WordPress Pharma Hack

Before cleaning anything, confirm the symptoms properly.

  1. Search Google for your domain plus spam terms like Viagra or Cialis.
  2. Run a site:yourdomain.com search and look for strange titles, descriptions, or hidden pages.
  3. Review Google Search Console for spammy URLs, unusual queries, or indexing spikes.
  4. Check your theme and plugin folders for suspicious files with technical-sounding names.
  5. Inspect the database for unexpected tables or injected SEO data.

If your problem is more about hidden spam links or hacked snippets inside normal content, also read this hidden links malware guide.

How to Remove the Pharma Hack Safely

Warning: This cleanup involves code inspection and database review. Back up the site first. If you are not comfortable editing theme files or verifying suspicious database tables, get expert help.

Step 1: Locate and remove the malicious theme file

Check the active theme folder for suspicious files that do not belong, especially files pretending to be utilities or settings components.

In this case, the main malicious file was:

wp-content/themes/hello-elementor/includes/settings-functions.php
Enter fullscreen mode Exit fullscreen mode

Other suspicious filenames in similar infections may include:

  • settings-functions.php
  • class.cache.php
  • db-cache.php

If the file contains obfuscated strings, decoder classes like _keys, or a fake caching wrapper like SimpleCache, treat it as highly suspicious.

Step 2: Check functions.php and related loader files

The malware still needs to be loaded somewhere. Review the theme’s functions.php file and nearby include files for lines that require or include the suspicious file.

If the malicious file was being loaded there, remove that reference too.

Step 3: Clean the database tables it created or abused

This malware created its own database structures for storing settings and tasks. Review phpMyAdmin for suspicious tables using your WordPress prefix that do not belong to WordPress core or any plugin you knowingly installed.

Examples may look like:

  • wp_sc_cache
  • wp_sc_settings
  • wp_sc_tasks

Always back up the database before dropping anything.

Step 4: Verify there are no other backdoors or reinfection points

Do not assume one file was the whole story.

Check:

  • hidden admin users
  • suspicious plugins or MU-plugins
  • .htaccess redirects
  • database injections
  • cron-based persistence

These follow-up guides are highly relevant here:

Step 5: Clean up the Google side after the malware is gone

Once the infection is actually removed, use Google Search Console to inspect the affected URLs and request crawling for the important cleaned pages. For a few URLs, the official path is the URL Inspection tool. Repeated requests do not make Google crawl faster, so focus on the most important pages first. :contentReference[oaicite:5]{index=5}

If the hack created large numbers of spam URLs, you may also need a search cleanup plan, not just malware removal. These two case studies are the best follow-up reads:

Why This Type of Infection Is So Easy to Miss

The site owner usually checks the homepage, sees nothing obvious, and assumes WordPress is fine.

But cloaking malware is built specifically to exploit that habit.

It shows one version of the site to humans and another to search engines. That is why some site owners only realize the infection exists when they see pharmaceutical keywords in Google, get a manual action, or notice that traffic has collapsed.

Google’s spam policies are clear that cloaking and hacked spam content can affect search visibility significantly. :contentReference[oaicite:6]{index=6}

FAQ: WordPress Pharma Hack

What is a WordPress pharma hack?

A WordPress pharma hack is a type of SEO spam infection that injects pharmaceutical keywords, links, or pages into your site and often hides them with cloaking so only search engines or selected visitors see the spam.

Why does my site look normal even though Google shows Viagra spam?

Because many pharma hacks use cloaking. Human visitors see the clean version of the site, while Googlebot and other crawlers are served spam content instead.

Is deleting the suspicious file enough?

Not always. Infections like this often involve database tables, hidden loaders, additional backdoors, or reinfection paths. That is why a full cleanup should include file review, database review, and credential rotation.

How long does it take for Google to stop showing pharma spam after cleanup?

It depends on crawl timing, the number of affected URLs, and whether the infection is fully removed. Requesting crawling for a few important URLs through Search Console can help, but there is no guaranteed instant recovery. :contentReference[oaicite:7]{index=7}

What should I do after cleaning the malware?

Change passwords after the site is truly clean, rotate WordPress salts, check with your host, and review the full post-hack checklist. WordPress’s official hacked-site guidance recommends exactly that. :contentReference[oaicite:8]{index=8}

Need Help Cleaning a WordPress Pharma Hack?

Malware like this often leaves more than one foothold behind. If you delete one visible file but miss the database layer, the site can keep poisoning your search results or get reinfected later.

If your site is showing pharmaceutical spam in Google, I can manually clean the infection, remove the hidden persistence points, and help restore your SEO signals afterward.

Get expert WordPress malware removal help

Top comments (0)