WordPress Pharma Hack: Viagra Spam in Your Search Results
By Glenn Lyvers · Updated · 6 min read
The pharma hack is an infection that injects pharmaceutical spam into your site, Viagra, Cialis, and the rest, in a way that only search engines can see. Your Google listings start showing pill-related titles and snippets, or your pages quietly rank for drug keywords, while the site looks completely normal in your browser. The spam is cloaked: served to Googlebot, hidden from you.
This is one of the oldest WordPress infections there is. I was cleaning pharma hacks a decade ago, and I still get several a year, because it keeps working. The whole scheme depends on you not noticing, and it's engineered well for that.
Here's how to tell if you have it, where it hides, and what an actual fix involves.
How do I know if my site has the pharma hack?
The most reliable check takes one minute. Search Google for site:yourdomain.com and read every title and snippet. Pharma-hacked sites show listings where your page title has been swapped for something like "Buy Cheap Viagra Online No Prescription," or your normal title with a strange tail of drug keywords. Sometimes only a handful of pages are affected. Sometimes it's all of them.
A second check: use the URL Inspection tool in Search Console and look at the crawled version of a suspect page, the page as Googlebot received it. Owners are routinely shocked at the difference. Your browser gets the bakery homepage; Googlebot gets the bakery homepage plus three hundred links to pill stores.
What you won't see is anything odd from a normal visit. That's the defining feature. If your visitors were seeing pill ads, you'd have caught it week one. The pharma hack starves you of the one signal you'd act on.
Why the spam only shows for Google
The injected code checks each request before deciding what to serve. Requests whose user-agent or IP address matches a search-engine crawler get the spam version, everyone else gets the clean page. Some variants also fiddle with search-referrer traffic and redirect people who click a poisoned result, but the classic pharma hack keeps human visitors untouched, because untouched owners don't hire people like me.
Cloaking cuts both ways, though. It's blatantly against Google's rules, so once discovered, these sites can pick up manual actions and lose rankings hard. The longer it runs, the deeper the hole.
Where the pharma hack hides
In my cleanups this infection lives deeper than most. The frequent hiding spots: obfuscated PHP tucked into theme files or a plugin that otherwise works fine, rogue rows in wp_options holding base64-encoded payloads that get evaluated at runtime, spam links buried inside old posts in wp_posts where no one has looked in years, and backdoor files scattered around wp-content/uploads or disguised as WordPress core files. Several variants store the actual spam text outside the site entirely and fetch it on demand, so the strings "viagra" and "cialis" appear nowhere in your files. Grepping for pill names finds nothing; the code that matters is a decoder, not the spam itself.
That's why pharma cleanups based on keyword searches fail. You have to hunt the mechanism: eval calls, base64 blobs, files that don't match fresh WordPress copies, options rows that don't belong. My indicators checklist walks through that evidence in detail, and my free checker gives you an outside-in read on what search engines are seeing.
Cleaning it out properly
The order of operations matters more than the tools. First, snapshot everything: files, database, access logs. The logs frequently show the entry point, which for pharma hacks is usually an old plugin vulnerability or a password that leaked years ago and never got rotated.
Then remove the mechanism everywhere it exists. Compare core files against a fresh WordPress download and replace what differs. Go through the theme by hand. Clean the injected rows and links out of the database, including inside serialized data where automated find-and-replace tools are dangerous. Pull every file a fresh install can't account for. And assume there's a backdoor, because there nearly always is; the pharma crowd plants spares. The general process is the same one in my full malware removal guide.
Last, close the door: update everything, rotate all credentials, remove admin accounts you didn't create, and tighten the basics from my security best practices guide.
Repairing your search results
The spam titles don't vanish the moment the site is clean. Google has to recrawl each page and see honest content again. Submitting your sitemap and requesting inspection of the worst pages hurries it along, and in my experience listings mostly correct within two to four weeks.
If Search Console shows a security issue or a manual action for spammy content or cloaking, deal with it head-on. Fix everything first, then request a review and describe plainly what you found and removed. Reviews with vague "we cleaned the site" notes get rejected; specifics pass. While you're waiting, run your domain through my free blacklist checker, since long-running pharma infections sometimes land you on antivirus blocklists too.
How long has it been there?
Longer than you think, usually. Because the pharma hack hides from owners so well, I routinely find infections that have been running for six months or a year before anyone noticed. One site I cleaned had spam links sitting in posts dated three years back, injected in a single batch one night and never disturbed since.
You can estimate the age yourself. File modification dates on the injected theme files give one anchor, though attackers sometimes forge them. Your Google listings give another: search site:yourdomain.com and check the cached or crawled dates on the affected pages. And your traffic history often shows it, a slow bleed in search clicks starting around the month the infection landed. Dating the break-in matters for one practical reason: any password that existed on the site during that window should be treated as stolen, and any backup taken during it is a backup of an infected site. Label those backups clearly before someone restores one in a panic; my backup and recovery guide covers how to keep a clean restore point going forward.
Want it gone without the archaeology?
Pharma hacks are hide-and-seek against someone who's had years of practice, and the losing move is deleting the obvious bits and calling it done. If you'd rather skip that game, my Bulletproof Cleaning package is $195: full snapshot, mechanism hunted down across files and database, backdoors out, entry point closed, and the Search Console follow-through afterward. I've dug this particular weed out of a lot of gardens. It doesn't grow back when you get the root.
Common questions
What is the WordPress pharma hack?
It is an infection that injects pharmaceutical spam, typically Viagra and Cialis keywords and links, into your site in a cloaked way: search engines see the spam while normal visitors see your regular pages. Attackers use your domain's reputation to rank pill-store links. Owners usually discover it by finding drug keywords in their own Google listings.
Why do my Google results show Viagra spam but my website looks fine?
The malware checks who is asking before it answers. Requests from Googlebot get the spam-injected version of your pages, while your browser gets the clean version. That cloaking is deliberate, because owners who see nothing wrong don't clean anything up. Use Search Console's URL Inspection tool to view a page exactly as Google crawled it.
Why can't I find the word viagra anywhere in my files?
Most pharma variants don't store the spam text on your server. The injected code is an obfuscated loader, often base64-encoded PHP in theme files or the wp_options table, which fetches spam content from a remote server when a crawler visits. Searching your files for pill names finds nothing. You have to hunt the mechanism, not the keywords.
Will the spam titles in Google go away after I clean my site?
Yes, but not instantly. Google must recrawl each affected page and see clean content before the titles and snippets correct themselves, which usually takes two to four weeks. Submitting your sitemap and requesting inspection of important pages speeds it up. If there is a manual action for spam or cloaking, request a review with specifics of what you removed.
How did my site get the pharma hack in the first place?
Almost always through an outdated plugin or theme with a known vulnerability, or a reused password that leaked somewhere else. The infection is automated; bots find the hole, plant the loader and a few backdoors, and add your site to the campaign. That's why cleanup must include updating everything, rotating every credential, and removing the backdoors, not just the spam.