Battling the infamous WordPress "Pharma" hack

I got a Facebook message a few days ago from the Editor in Chief asking if the Pipe Dream was hacked. The attached screenshot showed ads for cialis and viagra instead of a popular Greek Life article. Neither of us were able to reproduce the issue, so I ignored it and went to bed.

Screenshot of a WordPress Pharma Hack Google result

The hack became clear the next day as a Google search for Pipe Dream returned results titled “#1 - kamagra gold 100 mg. FDA Approved Pharmacy. Good Quality …”. Fetching bupipedream.com as a Googlebot through Google Webmaster tools indicated that the hack targeted spiders and bots.

Some more searching led me to a great article explaining the infamous WordPress “Pharma” hack.

I followed the advice online and ran the following command:

grep -r "base64_decode" .

The results returned a suspicious file named uploas.php in the wp-includes directory. A quick glance at the file raised many red flags. I deleted the infected file and grep’d for the file name. The search returned a reference to uploas.php in wp-blog-header.php, so I deleted the infected line.

I’m still trying to find what caused the hack, but I’ve taken some of the precautions outlined in the ”Hardening WordPress” tutorial. I noticed that the attack also deleted the WP Super Cache plugin, so I’ve alerted the developer.

While the website is back to normal, I’m keeping an eye out for any followup attacks. Have you experienced the same issue? Let me know!