Your Google listings suddenly read “Buy Viagra,” “Cialis online,” or “Canadian Pharmacy” — but your actual pages look fine. That’s the pharma hack: cloaked code rewrites your titles and meta for search engines only, hijacking your domain to rank rogue online-pharmacy spam. We strip the injection from your files and database, restore your real titles, evict the attacker, and get the pharma pages de-indexed.
Last updated: June 2026 · Reviewed by the FixHackedWordPress malware response team
How You’d Know
Fix-First, Pay-Later Guarantee
We remove the pharma injection first. If we can’t clean it, you pay nothing.
Quick Answer
The pharma hack is a cloaked form of SEO spam that injects pharmaceutical keywords and links — Viagra, Cialis, and other “no-prescription” drugs — into your site to rank rogue online pharmacies using your domain’s authority. Its signature trait is that it rewrites titles and meta descriptions for search engines only: visit the page in a browser and it looks normal, but Google’s crawler is served drug-stuffed content. That’s why owners almost always discover it from their search listings, not their site.
Removal means finding the conditional injection (often in wp-config.php, .htaccess, the database, or fake core files), restoring your genuine titles and meta, removing backdoors and any unauthorized Search Console owner, then getting the pharma URLs de-indexed. Pharma is one payload within the wider SEO spam family — if your spam is gambling or generic keywords, those pages are the better fit.
Title + meta
Where pharma spam usually strikes first
Cloaked
Served to Google, hidden from you
Files + DB
Cleaned in both, plus fake core files
$0
If we can’t fix it
Why It’s So Sneaky
Unlike a redirect you can see, the pharma hack often touches nothing visible. It detects the visitor, and if it’s a search engine, it swaps your title tag, meta description, and sometimes the page body for pharmacy spam — then serves you the clean version.
The code inspects the User-Agent and referrer. Googlebot and search visitors get the pharma version; you, browsing directly, get the normal page — classic cloaking.
Your <title> and meta description are replaced with drug keywords so your listing reads “Buy Cialis Online,” even though the on-page content is untouched.
Hidden links and doorway pages funnel your traffic and ranking power to illegal “no-prescription” pharmacy networks that pay the attacker per click or sale.
How to confirm it yourself
Run site:yourdomain.com viagra (or cialis, etc.) in Google. If results appear, you’re infected. Then use Search Console’s URL Inspection to view a page as Googlebot fetched it — if the crawled title/content shows pharmacy text that isn’t in your browser view, that’s the cloaked pharma hack confirmed.
Pharma hacks are notorious for burying themselves in places a quick scan skips — including fake files named to look like WordPress core. Here’s where we hunt.
Conditional eval(base64_decode(...)) payloads that load on every request and decide whether to serve the pharma version based on the visitor.
Encoded pharma arrays and spam content injected into wp_options and wp_posts, often autoloaded so it runs sitewide without a visible page.
Files disguised with legit-sounding names (the wp-vcd family is a classic) dropped into wp-includes or theme folders that re-inject the hack across the install.
Server-level conditions that route crawlers to pharma doorway pages while everyone else sees the real site.
PHP shells in uploads and hidden admin users that quietly rebuild the pharma payload after a partial cleanup — see our backdoor removal page.
A planted verification token that makes the attacker a verified owner so they can keep submitting pharma sitemaps. We revoke it.
Methodology
Restoring your meta isn’t enough if the injector is still there. We remove the cause, restore your listings, and clean the search index.
We fetch your pages as Googlebot to reveal the pharma version, inventory every drug-spam URL Google has indexed, and trace the injection to its source.
We strip the payload from files, database, and fake core files, delete pharma doorway pages, and restore your genuine titles and meta descriptions without breaking content.
We patch the entry point, remove backdoors, rogue admins, and rogue Search Console owners, rotate keys, and lock down uploads and login.
We submit a clean sitemap, request removal/re-indexing of pharma URLs, and file any Google security review so the warning lifts and your rankings recover.
Simple Pricing
No tiers, no upsells. One price to remove the pharma hack and restore your listings.
$75 flat, to start
Complete removal and listing restoration — one site.
Fix-first, pay-later · you only pay once it’s clean
Because the hack is cloaked. It serves drug-stuffed titles and meta only to search-engine crawlers while showing you the normal page. Check Google’s crawled view (URL Inspection) and you’ll see the pharma version your browser never gets.
It’s a specific payload within SEO spam — pharmaceutical keywords and rogue-pharmacy links. The cleanup approach is similar, but pharma tends to target titles and meta and hides in fake core files. For gambling or generic keyword spam, see our SEO spam removal page.
Usually, once the injection is gone, the pharma URLs are de-indexed, and any manual action is cleared. Recovery follows Google’s recrawl timeline; acting quickly limits how far rankings fall in the meantime.
Pharma hacks self-rebuild from a backdoor or fake core file (like the wp-vcd family). If you remove the visible pages but leave the injector, it regenerates within days. The fix has to remove every copy and close the entry point.
Server-side cleanup is typically 4–12 hours; de-indexing follows Google’s recrawl. It’s a flat $75 to start on a fix-first, pay-later basis — you only pay once it’s clean. Send us your domain to begin.
Every day pharma spam sits in your search results, your rankings and reputation erode. We remove it, restore your titles, and de-index the junk — and if we can’t, you pay absolutely nothing.
Flat $75 · Fix-first, pay-later