Spam In Your Google Results
That Is Not On Your Site?
This Is The Pharma Hack.
You search your own site on Google and see listings for counterfeit pharmaceuticals, replica goods, or content in a language you do not use, but when you visit the actual page, none of it is there. This is the WordPress pharma hack, and it is built specifically to be invisible to you while fully visible to Google.
CV Infotech finds this injection in the database fields and theme files where it actually lives, not just the visible page output, and removes it completely rather than leaving rows behind that regenerate the spam later.
What The WordPress Pharma Hack Actually Is
The pharma hack injects hidden spam content and links into a WordPress site, historically most associated with counterfeit pharmaceutical sales, though the same technique is used just as often for replica goods, essay-writing services, or Japanese and Chinese-language SEO spam entirely unrelated to the site's real content. The defining trait is cloaking, the injected content is served conditionally, appearing to search engine crawlers but not to a normal visitor or a logged-in admin.
This cloaking is why it goes undetected for so long. The injection typically checks the User-Agent or referrer of the incoming request, and only serves the spam content when it detects a search engine crawler, which is precisely why searching site:yourdomain.com in Google is the fastest way to actually see what the hack has been showing search engines the entire time.
Francisco Escobar's WordPress platform has been checked for exactly this pattern on every scheduled maintenance visit for 14 years, which is why cloaked SEO spam has never taken hold there undetected. That same site: search check and database review is the first thing we run on any pharma hack engagement, and it is a standard part of the ongoing plans at /wordpress-maintenance-service/.
We Search As Google Sees It, Not As You See It
Since the entire hack is built to hide from a normal visitor, we replicate the crawler conditions that actually trigger the spam before concluding anything is or is not present.
Database Rows Fully Removed, Not Just Hidden
Deactivating a theme or plugin can sometimes stop spam from displaying without removing the underlying database rows, which then resurface after any unrelated update.
Search Console Spam Annotations Reviewed
If Google has already flagged specific URLs for spam content, we review those flagged pages specifically rather than relying on a general site-wide scan alone.
Reindexing Requested After Cleanup
Once verified clean, we request reindexing so search engines recrawl and update your listings, rather than leaving stale spam-flagged results live for weeks.
How We Find And Remove The Pharma Hack
wp_posts Content Field Scan
We search the post_content and post_content_filtered fields for injected spam text and links, since this is the single most common storage location and the reason a plugin-only file scan frequently misses this hack entirely.
wp_options Widget and Theme Field Review
Widget content and theme customiser fields stored in wp_options are a second common hiding place, particularly for injections designed to survive a theme file cleanup untouched.
functions.php Cloaking Logic Check
We review the active theme's functions.php for User-Agent or referrer-based conditional logic, which is the mechanism that actually makes the spam invisible to normal visitors while fully visible to crawlers.
Search Engine Simulation Testing
We request pages using a Googlebot User-Agent specifically, replicating exactly how the crawler sees the site, since this is the only reliable way to confirm the cloaking is genuinely gone rather than simply not triggering during a normal browser check.
Search Console Cross-Check
If your Search Console account shows manual actions or flagged URLs for spam, we cross-reference those specific pages against our own findings to confirm nothing was missed.
Full Removal and Reindex Request
Every affected row and file is cleaned rather than deactivated, and we submit a reindexing request once verified clean so search results update rather than showing stale spam listings for weeks.
The pharma hack is one of the most profitable hacks for an attacker precisely because it is designed to survive a superficial check. A site owner glancing at their own homepage will see nothing wrong, which is exactly why this hack can run for months, sometimes longer, quietly damaging search visibility and brand trust with anyone who happens to search the domain directly.
Finding it requires deliberately looking at the site the way a search engine crawler does, not the way a normal visitor does. That distinction is the entire difference between a removal that actually works and one that only appears to, and it is the first thing we check before touching a single file.
This service is not the right choice if:
- You have already confirmed the spam listings are simply outdated cached results, not an active cloaking injection
- Your hosting provider's managed plan already includes this type of cleanup
- You need a full site rebuild rather than a targeted cleanup, see /wordpress-development-company/
- You are comfortable with database queries and prefer to search wp_posts yourself first
We will confirm which of these applies during the triage call before billing anything.
USA
Compliance: CCPA · Hosting: AWS us-east-1 · Support: EST (UTC-5)
Site and database access during removal is handled in compliance with CCPA, processed on AWS us-east-1 infrastructure and deleted on completion, with updates communicated during EST business hours. Full detail: /web-development-agency-usa/
UK
Compliance: UK GDPR · Hosting: AWS eu-west-2 London · Support: GMT (UTC+0)
UK GDPR governs how any customer or commenter data encountered in the database review is handled. John Gowland's real estate platform build included the same database and Search Console review standard. Full detail: /hire-developers-uk/
Australia
Compliance: Privacy Act 1988 · Hosting: AWS ap-southeast-2 Sydney · Support: AEST (UTC+10)
Privacy Act 1988 obligations are factored into how Australian client data is handled during the review. Laura Maher's ongoing WordPress work with us from Australia runs on this same AEST-aligned support model. Full detail: /app-development-company-australia/
Signs Your Site Has A Pharma Hack
Run through these before assuming anything. Most of these take under two minutes to check.
| # | Item | Why It Matters |
|---|---|---|
| 1 | Search site:yourdomain.com in Google | The single fastest confirmation, spam text here that is not on the actual page is a definitive sign |
| 2 | Check Google Search Console for manual actions | Google often flags spam directly if it has been detected |
| 3 | Search your brand name plus "viagra" or "cialis" | A common combination used by attackers to test if the injection is indexed |
| 4 | Review recent organic traffic for unfamiliar foreign-language keywords | Sudden traffic from unrelated foreign-language queries often indicates cloaked spam ranking |
| 5 | Check if your site suddenly ranks for completely unrelated terms | A red flag if your site starts appearing for queries with no relation to your actual content |
| 6 | Fetch a page using Google's URL Inspection tool in Search Console | Shows you what Google actually rendered, which can reveal cloaked content directly |
We Check As Googlebot, Not As A Visitor
Since the hack is designed to hide from normal browsing, we replicate crawler conditions specifically to confirm what is really there.
512 Verified 5.0 Reviews
512 reviews on Freelancer.com with a 5.0 rating, from real client engagements.
Full Database Cleanup, Not Just File Cleanup
Spam stored in wp_posts and wp_options is fully removed, not just hidden by a theme change that leaves the rows intact.
Francisco Escobar, 14 Years, Zero Breaches
Client since 2012. His site has been checked for exactly this cloaking pattern on every maintenance visit for 14 years.
How We Find And Remove The Pharma Hack
Six steps from crawler simulation to a verified clean site and reindex request.
We fetch key pages as Googlebot specifically to confirm exactly what search engines are actually seeing.
wp_posts, wp_options, and the active theme's functions.php are all checked for the injected spam and its cloaking logic.
Every affected database row and file is cleaned, not deactivated, so the spam cannot resurface after an unrelated update.
The vulnerability that allowed the injection, usually an outdated plugin or compromised credential, is identified and closed.
Any flagged URLs are cross-checked and a reindexing request is submitted once the site is verified clean.
You receive the exact location the spam was hiding, the entry point, and confirmation of the reindex request.
Frequently Asked Questions
This is cloaking, the defining trait of the pharma hack. The injected code detects whether the request is coming from a search engine crawler or a normal browser and only displays the spam content to the crawler, which is why the two views look completely different.
Search site:yourdomain.com in Google and look for spam text or links you did not write. This single check surfaces the vast majority of active pharma hack infections within seconds.
Not always. Many pharma hack injections live in database content fields rather than files, and a scanner that only checks the file system for known malware signatures can miss a database-level injection entirely.
Yes, temporarily. Google may need to recrawl and reindex your pages before the spam listings disappear from search results, which is why we submit a reindexing request as a standard part of every removal.
No, though the two can occur together. The pharma hack injects spam content visible to search engines, while a redirect hack sends visitors to a different destination entirely. See /wordpress-security/redirect-hack/ for that specific pattern.
Historically, counterfeit pharmaceutical sales were unusually profitable for attackers due to high margins and search demand, which is why this specific spam category became common enough to earn its own name, though the same cloaking technique is now used for many other spam categories too.
Often weeks to months, since the entire design of the hack is to remain invisible during a normal visit. Site owners typically discover it only when a customer mentions strange search results or when Google issues a manual action notice.
Our rate is $30 an hour. A typical case involving database and theme file cleanup runs a modest number of hours, quoted after triage before any billed work begins.
It is the necessary first step, but ranking recovery also depends on Google recrawling and reindexing the cleaned pages, which our reindexing request accelerates but cannot instantly complete.
Yes, if the entry point that allowed the original injection is not closed, since the same vulnerability can simply be exploited again. Our process always includes identifying and closing that specific weakness.
If Google issued a manual action for spam, yes, a reconsideration request is typically required after cleanup, which we handle as part of the removal service.
Yes. $30/hr. Contact us through the form above and we begin triage within 2 hours during business hours.
Spam Showing Up In Your Google Results That Is Not On Your Actual Site? We Find Exactly Where It Lives.
$30/hr. Checked the way search engines actually see your site.