Pharma hack: remove viagra spam from Google results

If Google shows pages about viagra, cialis or other pills under your domain, that is a common attack known as the pharma hack. A script is planted on the site that creates spam pages advertising counterfeit drugs and makes money from affiliate pharmacies. Your own content is still there, but the search index is polluted with spam pages, and Google may flag the site as hacked. Below: how to confirm it is the pharma hack, where the backdoor hides, and how to clean the spam so it does not return.

Contents
  1. What it is
  2. How to confirm it
  3. Check your site now
  4. Why it is dangerous
  5. Where the code sits
  6. Clean it step by step
  7. Joomla or WordPress
  8. When to call a specialist

What it is: the pharma hack

The pharma hack is the injection of drug-related spam pages and keywords onto someone else's site. The scheme is well established:

  • A backdoor is planted that creates pages advertising viagra, cialis and other pills.
  • Cloaking is common: the search bot is served a pharmacy page, a real visitor the normal site. That is why the owner does not notice for a long time.
  • The pages make money through affiliate programs of counterfeit online pharmacies.

How to confirm it is the pharma hack

The tell-tale signs of the pharma hack:

  • A site:yourdomain query in Google shows pages with words like viagra, cialis and pills.
  • Pharmacy titles and descriptions you never wrote appear in your search snippets.
  • Arriving from search, the site sometimes opens an online pharmacy.
  • The "Security issues" report in Search Console flags hacked content.

Check your site right now

The tool opens your site from the outside through the eyes of a search bot and a mobile visitor. They are usually the ones served the pharmacy version. Cloaking, a redirect and an outdated CMS show up at once. No access to the site is required.

I check: defacement, mobile redirect, cloaking, the CMS version and whether it is up to date.

Checking the site from the outside...

Why it is dangerous

Pharma spam is not just clutter in the results:

  • The index is polluted with spam pages, and your own pages fall in the rankings.
  • Google flags the site as hacked, and a warning appears in the results.
  • The domain loses trust: association with counterfeit drugs damages your reputation.
  • As long as the backdoor lives, the number of spam pages grows every day.

Where the code actually sits

To remove the spam for good you have to find the mechanism, not just the pages:

  • The backdoor: unknown .php files with random names in the uploads, media or cache folders.
  • Cloaking: code in index.php or the template files checks who is visiting, often via eval(base64_decode(...)).
  • The database: an injection in template parameters or records that the pages are assembled from.
  • Rules in .htaccess and a rogue sitemap with pharmacy URLs.
  • A cron job: restores the pages and the backdoor after deletion.

This is why the hosting antivirus often stays silent: part of the logic is in the database, and the backdoor files disguise themselves as legitimate.

How to clean it step by step

  1. Change every password: admin, FTP and SSH, database, hosting panel.
  2. In Search Console check the list of site owners and remove any you did not add.
  3. Find and delete backdoors: unknown .php files, check modification dates.
  4. Delete the generated pharmacy pages and the rogue sitemap, submit your real sitemap to Google.
  5. Check the database and cron jobs for code that regenerates the pages.
  6. Update the CMS and extensions, close the vulnerability used to get in.

If the site is on Joomla or WordPress

Joomla. Joomla 3 suffers most, with no security updates since 17 August 2023. Attackers get in through vulnerable extensions and hide the backdoor in the media folder or in template parameters in the database. Without moving to version 5 or 6 the spam returns.

WordPress. Look at the uploads folder (it must contain no .php), the wp_options and wp_posts tables, and the active theme functions.php. The way in is usually a neglected plugin.

When to call a specialist

It is worth calling in a specialist if:

  • you deleted the pages and they regenerated;
  • there is an unfamiliar owner in Search Console and you are unsure how to clean everything;
  • the backdoor cannot be found while the spam keeps multiplying;
  • Google has already flagged the site as hacked;
  • there is no working clean backup.

I clean the pharma spam on any CMS: remove the pages, find the backdoor, clean up Search Console and close the way in so it does not return. Diagnostics are free. I work with site owners from Ukraine and Poland, and with Russian speakers across the EU. I do not work with legal entities registered in Russia: that is an EU sanctions restriction.

Details and request

Frequently asked questions

Google shows viagra ads under my site. Do I have a virus on my computer?

No, it is a hack of the site itself, known as the pharma hack. A script was planted that creates pharmacy spam pages. Your computer and browser have nothing to do with it, the problem is on the site's server.

I deleted the pharmacy pages and they came back. Why?

Because a backdoor or a cron job was left behind that recreates them, and the way in was not closed. Deleting pages and removing the mechanism are two different things. Without finding the backdoor the spam returns within a day.

I visit my site and see no viagra. Where does it come from in Google?

That is cloaking: the pharmacy pages are shown only to the search bot, while the site looks normal to you. Google indexes what the bot sees, so the spam appears in the results, not on the site itself.

The hosting antivirus says all clean. Why is there spam?

Because part of the mechanism is in the database, and the backdoor files disguise themselves as legitimate with no known signatures. A signature scan does not see them. A silent scanner does not mean the site is clean.

Can I just ask Google to remove these pages?

You can remove them from the results, but that is not a fix. As long as the backdoor lives, the pages are recreated faster than you can delete them. First clean the site, and only then remove the pages from the index.

Telegram