Pharma & SEO Spam Injections: Detection and Cleanup
Pharma spam and Japanese SEO hacks hide from human visitors but poison your Google rankings by cloaking hidden pages full of prescription-drug and gambling keywords. This guide walks through detection, cleanup and long-term prevention — the exact playbook the Malware Remove Expert team runs on live production sites.
Pharma spam and Japanese SEO hacks are two of the most damaging infections we handle at Malware Remove Expert — not because they take a site offline, but precisely because they don’t. They quietly cloak thousands of injected pages full of prescription-drug keywords behind your legitimate URLs, poison your Google Search Console reports, and can wipe out years of organic rankings in a matter of days. This guide walks through everything we do on a live cleanup: how to detect the injection, how to remove it end-to-end, and how to keep it from coming back.
What is a pharma / SEO spam injection?
Pharma spam is a class of black-hat SEO attack where an attacker gains write access to your site — usually through an outdated plugin, a stolen admin credential, or a compromised hosting account — and uses it to publish hundreds or thousands of hidden pages targeting profitable keywords like buy viagra online, cheap cialis, or Japanese drugstore terms. The pages are cloaked: real visitors see your normal site, while Googlebot (or anyone with a matching user-agent / referrer) is served the spam.
The attacker’s goal is not to sell anything on your domain. It is to borrow your domain authority to rank spam pages, then redirect the search traffic to a paid affiliate storefront. Your reward is a search-console filled with “Discovered — currently not indexed” errors, a Safe Browsing warning, and a slow, cliff-edge drop in organic traffic.
Warning signs on a live site
Every real cleanup we take on starts the same way — the owner noticed one of these and only then went looking. Watch for:
- Search results showing your domain with Japanese, Cyrillic, or prescription-drug page titles you never wrote.
- Google Search Console reporting hundreds or thousands of new URLs indexed in a single week.
- A dashboard warning in Search Console: “Site may be hacked” or “Deceptive site ahead”.
- Traffic collapsing from a single country (usually the US) while stable everywhere else.
- Requests to unfamiliar URLs like
/wp-content/uploads/2024/xmlrpc-x.phpappearing in your access logs.
How to confirm the injection
1. Fetch as Googlebot
The cloaked pages only render when the server thinks it’s talking to a search crawler. Use curl with a Googlebot user-agent to see what Google sees:
curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \
-L https://example.com/
If the returned HTML contains keywords, links, or full spam pages that never appear in a normal browser session, you have a confirmed cloaked injection.
2. Audit Search Console coverage
Open Google Search Console → Pages → Indexed and sort by discovery date. Injected pages usually appear in tight bursts — 300 or 2,000 URLs on the same day, all with URL patterns that don’t match your permalinks (e.g. /2019/07/cheap-cialis-25mg/ on a site that has no 2019 archive).
3. Scan the filesystem
SSH into the server and look for recently modified PHP files outside wp-content/uploads:
find . -type f -name "*.php" -mtime -14 \ -not -path "./wp-content/cache/*" | sort
Injected files typically live in odd locations: wp-content/uploads/2023/, wp-includes/js/, or as fake plugin folders named after real plugins (e.g. wp-content/plugins/akismet-updater/).
The cleanup playbook
Once you’ve confirmed the injection, resist the urge to “delete the bad files and hope”. A partial cleanup guarantees re-infection within 24 hours. Our engineers work the exact sequence below on every case.
- Snapshot everything first. Full filesystem + database backup before any change. Cleanups sometimes require rolling back a step, and evidence matters for incident forensics.
- Isolate the site. Enable maintenance mode or return a 503 for all requests. This stops Googlebot from indexing more spam mid-cleanup.
- Rotate every credential. Hosting panel, SFTP, database, admin users, API keys. Assume everything the site touched is burned.
- Replace WordPress core with a fresh copy of the exact version. Never trust in-place files.
- Replace every plugin and theme from a clean, verified source. Do not “repair” — replace.
- Scan uploads and mu-plugins for injected PHP and remove suspicious files. Regenerate
.htaccessfrom a clean default. - Purge the injected DB rows. Spam plugins often store payloads in
wp_options,wp_posts, or a custom table. - Submit a URL removal request for the injected pages in Search Console and force a recrawl of your legitimate pages.
The single biggest reason a pharma cleanup fails is skipping step 3 — credential rotation. If the attacker’s backdoor was a stolen hosting login, replacing files does nothing.
— Malware Remove Expert engineering team
Preventing re-infection
- Enforce 2FA on every admin, editor, and hosting-panel account. No exceptions.
- Disable file editing inside WordPress:
define('DISALLOW_FILE_EDIT', true);inwp-config.php. - Remove unused plugins and themes entirely; don’t just deactivate them. Deactivated files are still readable and still exploitable.
- Enforce automatic minor updates for WordPress core and set critical plugins to auto-update.
- Add a Web Application Firewall (WAF) in front of the site to block known exploit patterns and brute-force attempts.
- Monitor file-integrity: any change to a PHP file outside
wp-content/uploadsshould trigger an alert.
How long does recovery take?
The technical cleanup itself is usually under four hours for a typical WordPress site with fewer than 50 plugins. The SEO recovery — Google recrawling, removing the manual action, and restoring pre-hack rankings — takes anywhere from a week to six weeks depending on how long the injection had been indexed. The single biggest lever on that timeline is how thoroughly you submitted URL removal requests immediately after the cleanup.
If you’re staring at a Search Console full of Japanese page titles right now, don’t spend the next 48 hours experimenting. Bring in a specialist, follow the sequence above, and get back to running your business.


