SEO spam on hacked WordPress sites

What Is SEO Spam And How Can It Hurt Your WordPress Site

Almost half of all malware attacks against websites involve SEO spam. This type of attack is performed by Black Hat SEO’s and hackers who want to improve the SEO rank of their own sites.

Unfortunately, SEO spammers often target WordPress websites. They do so because WordPress is the most popular content management system in the world — which means there are many targets to choose from. There are also millions of insecure WordPress installations which contain unpatched vulnerabilities in plugins, themes, or the WordPress core.

This guide will take a closer look at SEO spam. We’ll identify the reasons why hackers use SEO spam, how it can hurt your website and the signs that indicate your website may contain SEO spam. We’ll also share some useful tips for protecting your website against SEO spam.

What is SEO Spam?

Search engines use a variety of factors to determine where a website should rank in search engine results. One of the most important factors is the number and quality of incoming links that a website has. Essentially, the more links a website has from high-quality, relevant websites — the higher it will rank.

SEO spammers will use a variety of techniques to insert links and content on other people’s website, improving their website’s search engine rankings. This approach, commonly called spamdexing, allows them to push their low-quality sites to prominent positions in search engine rankings.

The most common SEO spam techniques include:

  • Inserting links into existing pages on a website
  • Creating new pages full of links and spammy content
  • Redirecting pages on your website to their other websites (often using JavaScript redirects)
  • Adding spammy comments to blog posts
  • Hosting spam content
  • Adding wikis, forums, and other applications to your website which are populated with spam content and links.
  • Including SEO spam content from other websites via iframes and file inclusions.

In many cases, SEO spammers will create elaborate link farms involving thousands of websites. Your website might simply link to another hacked site that eventually links to the spammer’s monetisation site — which they are attempting to push up the rankings. Some spammers will even attempt to make your site a money site, by adding sales pages and pushing thousands of new links towards it.

How can SEO spam hurt your website

There are many negative consequences associated with having SEO spam on your website including:

Your website may be blacklisted by search engines

When search engines discovered that your website contains many links to low-quality spam websites, they may take action against it. Google, for example, may mark your website as being affected by a malware attack. This can reduce the number of visitors that your site gets from search engines.

Forcing your website to rank lower

Having dozens of spammy outbound links on your website’s pages may reduce your website’s search engine rankings. Additionally, if the spammer has made your website a part of their link farm, it may start to receive thousands of low-quality incoming links. Search engines may also view this negatively.

Spam starts appearing when people search for your business

If spammers have updated pages or added pages with spammy content, this will eventually appear in search engine results when people search for your business. Spammers might be adding content of a sexual nature or pharma spam which sells products like Viagra. This can severely damage your business’s reputation.

If your site is compromised by SEO spam it might have other issues

Most SEO spam attacks will target a vulnerability in your website. This might be an out of date plugin, a low-strength password, or insufficient server security. Once they have gained control over your website, they might insert other forms of malware in addition to their SEO spam.

They could insert spyware, adware, viruses, and other malware that affects the visitors of your website. This may leave you open to legal action from your visitors, a loss of sensitive data, or permanent blacklisting from search engines.

Signs that your website may have SEO spam

There are many signs which indicate the presence of SEO spam on your website including:

Warnings in Google Search Console

If your website is verified with Google Search Console, you will be alerted if Google finds unusual link or page activity and has penalised your site. Some of the Google Search Console penalty notifications that might indicate SEO spam include:

  • User-generated spam penalty
  • Unnatural links to your website penalty
  • Unnatural links from your website penalty
  • Hacked website penalty
  • Spammy structured markup penalty
  • The hidden text or keyword stuffing penalty
  • Cloaking or sneaky redirects penalty
  • Thin content with low or no added value penalty

Google Search Console will also inform you of Security Issues affecting your website. These issues can sometimes indicate the presence of SEO spam. Look for security issues involving Code Injection, SQL Injection, Cross-Site malware, and server configuration (which usually means redirects which go to a malware-ridden site).

Unusual activity in Google Analytics

If you notice a sudden increase in the traffic to your website in Google Analytics, it may be related to SEO spam. The spammers might have started incorporating your website into their link farm, which has given your site a temporary boost. They may have also installed some spam pages on your domain which sell products to visitors, and they are sending traffic to your website.

Check your backlink profile

Websites like Ahrefs and Majestic can give you highly detailed information about the links that are coming into your website. They are excellent tools for improving your website’s SEO. Ahrefs can also be used to track unusual backlink activity relating to your website. That means that an SEO spammer incorporating your website into their link farm will be quickly spotted.

If you have a problem with SEO spam, you may notice a significant jump in the number of backlinks coming to your website or some very low-quality sites suddenly linking to your website. You might also notice that the new incoming links to your website have unusual anchor text like “Viagra” or “Cheap shoes”.

Check for crawl errors

Go back into Google Search Console and click on the Crawl section. Click on Crawl Errors, then look at the pages that are not found. Some of these non-existent pages may be the targets of incorrectly configured SEO spam. Take a look at the Linked From tab to see who is spamming your website.

Look for unexpected new pages or folders on your website

New posts or pages being added in WordPress without your knowledge is a clear sign that your website is being used for SEO spam. Look for unexpected content being added to WordPress or any new authors being added in the administration section. There might also be new PHP or HTML files and some new folders scattered around your server.

Search your site using Google

Perform a Google search of your site using the site: operator. This operator will list the top pages within your domain. Simply visit and type in (replacing with your domain). If you are greeted with a list of unfamiliar pages that look like spam, you may have SEO spam on your website. You could also perform the search using a common spam term like viagra. This will return any pages mentioning Viagra on your website. Words like “free” and “cheap” are also often used by SEO spammers.

Third party scanners find a problem

You can also use a third-party scanner to detect the presence of SEO spam on your website.

How SEO spam attacks work on WordPress

In most cases, an SEO spam attack will begin with a hacker placing a backdoor on your server. This will usually be performed by identifying a vulnerability in the WordPress core, a WordPress plugin, a theme, or another piece of server software. This backdoor will give them the ability to modify other files on the server.

Once they can modify the .htaccess, wp-config.php, wp-includes/load.php files, they will gain a lot of control over your website. The most common locations for WordPress backdoor files are inside the images or uploads directories as they tend to have the weakest permissions.

The spammer will then use the backdoor files to gain access to specific other data or your database. They can then add or modify some of the content on your website. Some spammers will even install additional WordPress installations on subdirectories beneath your site — reducing the likelihood that you will notice the other spam content. These more sophisticated SEO spammers will often create additional folders with files to manage their spam blogs remotely.

Finding and removing SEO Spam from your website

Use the following steps to remove SEO spam from your website:

Track down the backdoor

Begin by eliminating the entry point that the hacker used to compromise your website. wp-content/uploads/.*php (with a random PHP name file), wp-includes/images/smilies/icon_smile_old.php.xl, wp-includes/wp-db-class.php and wp-includes/images/wp-img.php are the most likely locations. You can manually scan the files and use the techniques listed below.

Use server-side anti-virus software

Ensure the server has up-to-date security software installed and running. Applications like ClamAV, are very effective at locating potentially malicious files in web directories.

Scan your website with a third party tool

There are many third party tools which will scan your website to identify any spam pages or compromised files. The following services offer free scans for malicious files. Third-party tools might help you locate the backdoor if you did not find it in step 1.

Use a WordPress plugin to scan your files

Install a WordPress security plugin and have it scan your files to ensure they are correct. These scanners will spot any malicious code that has been added to your files.

Check your sitemap

Some SEO spam attacks will modify the WordPress sitemap to increase the likelihood of the spam URLs being found by search engines. Check your website’s sitemap to see if it has been modified.

Change your passwords and harden WordPress users

If you have found SEO spam in your WordPress database, it is safe to assume the spammer has gained access to all of your administrative sections. Generate new WordPress SALT keys and change your passwords for your FTP accounts, databases (important), and hosting accounts. Remove any unauthorised WordPress users, change all WordPress user passwords and check the email addresses of all users.

Examine recently modified files

Log into your web server and run the following command to identify recently modified files:

find /path-of-www -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r

This will help you quickly identify a backdoor installed by a hacker or any SEO spam files.

Check your .htaccess file

The .htaccess file is a common attack point for SEO spammers. Manually inspect your .htaccess to ensure it is in order.

Remove any spam pages

You may find spam pages in both your WordPress database and in your website’s folders. Manually remove them. Use the information gathered previously from Google Search Console and Ahrefs to help you find the location of spam pages.

Reinstall your plugins and theme

Backup your plugins then reinstall them from a trusted source. This will help you eliminate any compromised files in the plugins folder. You should also examine your theme files or completely reinstall the theme to ensure it is not compromised. You should also remove any unused themes or plugins as they may contain vulnerabilities.

Reinstall your WordPress core files

For safety’s sake, it is usually a good idea to replace your WordPress core files with the latest versions.

Harden your WordPress installation

There are many steps you can take to improve the security of your WordPress installation, but it depends on your server and WordPress configuration.

Resubmit your website to Google

If Google has detected the pharma spam on your website, your website may already be penalised. Once you have repaired your website, go to Google’s Search Engine Console and using the Remove URLs Feature to eliminate any references that Google has to the infected pages. You will then have to go to Search Traffic > Manual Actions and Request a Review of your website.

For more information on preventing SEO spam, subscribe to the site or follow us on social media.

Darius S.

Similar Posts

ThreatPress API keys

Free WordPress Vulnerability Database API

Recently, we received a few queries related to our services, specifically for WordPress Vulnerability Database. So to make it clear we ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

Leave a Reply

Your email address will not be published. Required fields are marked *