Title: Pharma hack and 403 error admin-ajax.php
Last modified: May 24, 2019

---

# Pharma hack and 403 error admin-ajax.php

 *  [stjason](https://wordpress.org/support/users/stjason/)
 * (@stjason)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/)
 * I have two issues I’m struggling to fix. I’ve tried most everything suggested
   online and am at a loss as to what else to do.
 * Wordpress Version: 5.2.1
    Theme: Mesmerize Plugins: ALL are deactivated
 * **Issue 1:
    403 Forbidden Forbidden You don’t have permission to access /wp-admin/
   admin-ajax.php on this server.
 * I get this message any time I try to update or delete a plugin. It also shows
   this message on the Dashboard tab of the Admin panel.
 * Things I’ve tried:
    1. Deactivating all plugins 2. Via FTP I have verified admin-
   ajax.php permission code is set to 640 3. Via FTP I have verified all WP folder
   permissions are set to 755 4. Installed WP Super Cache, there are no cached contents
   showing to delete 5. Cleared theme cache
 * Is there anything I should be checking at the host level?
 * **Issue 2:
    When clicking on my site from a search engine it redirects to a pharma
   scam site.
 * Things I’ve tried to fix this:
    1. Inspected htaccess which looks normal. I tried
   deleting it and generating a new file but a new file was never created. I’ve 
   compared my file with other “normal” ones online and they look the same. 2. Inspected
   all *.php files (index, header, footer, etc.). I know it is common to encode 
   PHP in these files to facilitate the redirect but all of mine look normal.
 * I’ve seen vague mention of these redirects working via scripts or an infected
   database but I haven’t found much information on how to troubleshoot those cases.
 * Thanks!
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fpharma-hack-and-403-error-admin-ajax-php%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 14 replies - 1 through 14 (of 14 total)

 *  [Stef](https://wordpress.org/support/users/serafinnyc/)
 * (@serafinnyc)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11570272)
 * Did you look at the htaccess? Have you cleaned your hack yet?
 *  Thread Starter [stjason](https://wordpress.org/support/users/stjason/)
 * (@stjason)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11570282)
 * Hi Stef
 * I have inspected htaccess and it only contains this, which I surmise is normal.
 *     ```
       # BEGIN WordPress
       <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteBase /
       RewriteRule ^index\.php$ - [L]
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule . /index.php [L]
       </IfModule>
   
       # END WordPress
       ```
   
 *  [Stef](https://wordpress.org/support/users/serafinnyc/)
 * (@serafinnyc)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11570299)
 * Sorry, was viewing without my glasses on and now I’m in front of main computer.
   Good. Yeah that’s correct.
 * Have you run a grep looking for the main leak of the virus?
 *  Thread Starter [stjason](https://wordpress.org/support/users/stjason/)
 * (@stjason)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11570395)
 * Thanks Stef, I’m on Windows so I will attempt to do Select-String in Powershell.
   I’ve downloaded all of the files from my host. Hopefully this can reveal some
   clues as to where the hack is hiding out.
 *  [Stef](https://wordpress.org/support/users/serafinnyc/)
 * (@serafinnyc)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11570399)
 * Oooooo! I like how you roll 😎👊🏼🤙🏼
 * Pharma hacks like JS files the most, header files and index files.
 * Best of luck
 *  Thread Starter [stjason](https://wordpress.org/support/users/stjason/)
 * (@stjason)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11571686)
 * Somewhat surprisingly I was unable to find anything at all related to the hack
   in my files. I could find no mention of the destination of the redirect anywhere.
   I had expected to find “something” in the theme php files, scripts, etc. but 
   no luck. I also didn’t see any unusual encoded PHP blocks or additions to the
   htaccess file. Everything looks exactly as it should… I’m really puzzled at this
   point.
 * I also checked everything at the host level just to make sure that wasn’t the
   source of the problem but everything looks fine.
 * Curiously I contacted my host about the 403 error on admin-ajax.php and they 
   say everything is configured exactly as it should be and they have no idea why
   I’m getting the permission error. This is a real mess.
 *  [Stef](https://wordpress.org/support/users/serafinnyc/)
 * (@serafinnyc)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11572112)
 * Let’s start over.
 * > Issue 1:
   >  403 Forbidden Forbidden You don’t have permission to access /wp-admin/
   > admin-ajax.php on this server.
 * What brought you to or how did you come about receiving /admin-ajax.php ??
 * If I goto [http://partnerfirst.biz/wp-admin](http://partnerfirst.biz/wp-admin)
   I’m good. I get the login page. Is it after you get in that your URL changes 
   over to /admin-ajax.php?
 *  Thread Starter [stjason](https://wordpress.org/support/users/stjason/)
 * (@stjason)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11574264)
 * > What brought you to or how did you come about receiving /admin-ajax.php ??
   > If I goto [http://partnerfirst.biz/wp-admin](http://partnerfirst.biz/wp-admin)
   > I’m good. I get the login page. Is it after you get in that your URL changes
   > over to /admin-ajax.php?
 * I see the /admin-ajax.php 403 error anytime I try to update a theme, plugin, 
   or delete a plugin. None of those things are possible.
 * A few updates…
 * My hosting service ‘scanned’ my site and identified several files which may have
   been compromised. I removed all of the files via FTP but the problem persists.
 * As of now the site is still redirecting to the pharma site. I don’t really know
   what else to try other than a complete reinstall.
 *  [Stef](https://wordpress.org/support/users/serafinnyc/)
 * (@serafinnyc)
 * [7 years ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11574266)
 * Carefully follow [this](https://codex.wordpress.org/FAQ_My_site_was_hacked) guide.
 * When you’re done, you may want to implement some (if not all) of the recommended
   security measures found [here](https://codex.wordpress.org/Hardening_WordPress)
    -  This reply was modified 7 years ago by [Stef](https://wordpress.org/support/users/serafinnyc/).
 *  [ryandesigned](https://wordpress.org/support/users/ryandesigned/)
 * (@ryandesigned)
 * [6 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11658659)
 * I have the same issue… Any updates on this?
 *  Thread Starter [stjason](https://wordpress.org/support/users/stjason/)
 * (@stjason)
 * [6 years, 11 months ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11661168)
 * Hey Ryan
 * I eventually got it fixed by doing several things…
    – disabled all plugins – 
   deleted unused non-essential plugins – my host scanned the files and found some
   encoded php and malicious files I had to cleanup manually via FTP
 * At this point I was able to start scanning the site via WP plugins (I used a 
   few). There was a cascade of issues for a little while but eventually it got 
   cleared up.
 *  [magarcia69](https://wordpress.org/support/users/magarcia69/)
 * (@magarcia69)
 * [6 years, 9 months ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-11907497)
 * Sometimes, the 403 Forbidden error to access /wp-admin/admin-ajax.php is caused
   from the server configuration.
 * In case you can admin your server, if you have Mod Security enabled, try to disable
   it temporaly. Hopefully, you will be able to send your webform successfully. 
   After that, you can enable it again.
 * This is happening to me when changing the settings in several plugins.
 *  [cowpen](https://wordpress.org/support/users/cowpen/)
 * (@cowpen)
 * [6 years, 7 months ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-12085452)
 * Having the same issue with a pharma-hack. Can’t install WordFence. How did you
   get around the 403 error in order to delete your plugins?
 *  [Martin](https://wordpress.org/support/users/mniggemann/)
 * (@mniggemann)
 * [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-12159641)
 * Hey [@stjason](https://wordpress.org/support/users/stjason/) can you give us 
   the file names and maybe code samples of the malicious code your host found?
   
   That would be of great help to others encountering the same hack.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Pharma hack and 403 error admin-ajax.php’ is closed to new replies.

## Tags

 * [pharma](https://wordpress.org/support/topic-tag/pharma/)
 * [pharma hack](https://wordpress.org/support/topic-tag/pharma-hack/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 14 replies
 * 1 participant
 * Last reply from: [Martin](https://wordpress.org/support/users/mniggemann/)
 * Last activity: [6 years, 6 months ago](https://wordpress.org/support/topic/pharma-hack-and-403-error-admin-ajax-php/#post-12159641)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics