◦ Comprehensive security
◦ 24/7 support
WordPress Guide → SEO → Spam Malware
SEO spam: how to clean and protect your WordPress site
SEO spam is one of the more frustrating forms of WordPress attack because the damage adds up before you notice it.
Hackers inject link spam, keywords, and pages into your site. Your search rankings start dropping. Your traffic dries up, and by the time you investigate, Google may have already flagged your domain as unsafe.
Roughly 13,000 WordPress sites are compromised every day, totaling around 4.7 million annually.
This guide covers:
- What SEO spam looks like.
- How to tell if your site has been hit.
- Steps to clean it up.
- How to stop it from happening again.
Get fast, reliable hosting for WordPress
Power your site with the industry’s fastest, most optimized WordPress hosting
What is SEO spam?
SEO spam (sometimes called spamdexing) is when someone injects unauthorized content into a website to manipulate search engine rankings. Instead of breaking your site or stealing data, attackers use your domain’s existing authority to rank their own pages. The aim is to sell counterfeit products or redirect your visitors to malicious destinations.
The mechanics are usually invisible to site owners. Attackers exploit a vulnerability, gain access to your WordPress install, and inject content into your theme files, your database, or your .htaccess file.
The injected content often shows up only to Google’s crawler (a technique called cloaking), which means your site looks perfectly normal when you visit it. The damage happens in the search results, where your domain starts appearing for keywords you’ve never published content for.
WordPress is a frequent target because of its widespread use. With around 41% of all websites running WordPress, an automated attack targeting WordPress vulnerabilities has an enormous potential audience.
According to the Patchstack 2026 State of WordPress Security report, 11,334 new vulnerabilities were discovered across the WordPress ecosystem in 2025. A 42% increase over the year before. 91% of those were in plugins. Only 6 were in WordPress core itself.
Common types of SEO spam
SEO spam attacks take a few recognizable forms.
The pharma hack
The pharma hack is one of the oldest and most common. Attackers inject pharmaceutical keywords and pages into your site, typically promoting counterfeit drugs like Viagra or Cialis. The pages are usually invisible to visitors but are indexed by Google, so your domain starts appearing in searches for pharmaceutical terms.
The Japanese keyword hack
The Japanese keyword hack generates large numbers of pages filled with auto-translated Japanese hidden text. The pages promote counterfeit luxury goods, fake electronics, or other knockoff products. This variant is particularly aggressive: a single infection can create hundreds or thousands of indexed pages within a few days.
Link injection
Link injection adds spammy backlinks to your existing content, usually buried in the footer or in low-visibility areas of the page. The hidden links point to attacker-controlled sites trying to manipulate their own search rankings using your domain’s authority.
Cloaking
Cloaking creates hidden pages that show one thing to Google’s crawler and something else to human visitors. You won’t see them when browsing your own site, but they’re there in your filesystem, and they’re being indexed.
Banner and ad injection
Banner and ad injection modify existing ad placements, call-to-action buttons, or download links to point at fraudulent destinations. Visitors clicking what looks like a normal button end up on a scam site instead.
Spam page creation
Spam page creation adds new pages to your site using keyword stuffing for whichever keyword the attacker wants to rank for. These pages often piggyback on your existing site structure, sometimes with URLs designed to look like legitimate sections of your site.
A growing trend in 2025 was the use of automatically generated content for pharma hack pages, making them harder to detect through traditional content-pattern scanning. Some 2025 backdoor campaigns also installed fake plugins (such as “Ultra SEO Processor”) that automatically recreate admin accounts after you delete them. This is part of why prevention matters so much more than cleanup.
How SEO spam affects your WordPress site
Search engine penalties are usually the first sign that something is wrong. Google detects the injected content during a crawl and either drops your rankings or, in worse cases, removes your domain from search results entirely. Recovery from a manual penalty can take weeks, even after the spam is cleaned up.
Reputation damage follows quickly. Visitors who see pharmaceutical keywords associated with your business or get redirected to scam sites won’t trust your domain again. For B2B sites and ecommerce stores, this can do lasting commercial damage.
Lost revenue affects both organic traffic and direct sales. When traffic drops, lead generation drops with it. When trust drops, conversion rates drop too.
Security risks compound the SEO problem. The same vulnerability that lets attackers inject spam content usually lets them do more: install backdoors, harvest user data, mine cryptocurrency on your server, or use your site to attack other sites in turn. SEO spam is often the most visible symptom of a deeper compromise.
How to identify SEO spam on your WordPress site
Catching SEO spam early limits the damage. Here are the signs worth looking for.
External signs
Unexpected pages or content appearing in search results. Search for your domain name on Google using the site: operator (for example, site:yourdomain.com) and review the results. If you see pages you didn’t create, pages in unexpected languages, or pages with suspicious keywords, that’s a strong signal.
Sudden ranking drops or traffic loss. A sharp decline in your search traffic that you can’t explain through your own SEO work is often the first symptom site owners notice. Google Search Console will sometimes flag the cause directly under Security Issues.
Unfamiliar redirects. Visit your own site from an incognito browser window. If pages are redirecting unexpectedly, especially to sites in other languages or to suspicious URLs, you’re looking at active spam infrastructure.
Warnings in Google Search Console. Google often detects spam content before site owners notice anything is wrong. Check Search Console regularly for security alerts and indexing anomalies.
Internal signs
New users in your WordPress dashboard. Check Users > All Users for any admin or editor accounts you don’t recognize. Modern attacks often create persistent admin accounts to maintain access after the initial infection.
Unfamiliar plugins or files. Scan your WordPress dashboard for plugins you didn’t install. A common 2025 attack installed fake plugins with innocuous names like “Ultra SEO Processor” to maintain backdoor access.
Suspicious malicious content in core files. If you have the technical comfort to look, suspicious code injection in .htaccess, wp-config.php, or theme files is a strong indicator. Look for unfamiliar redirects, base64-encoded strings, or eval() calls.
A regular site scan with a WordPress security plugin is the easiest way to see most of these signs without having to check everything manually.
How to remove SEO spam from your WordPress site
A heads-up before you start: cleaning SEO spam properly involves direct file editing, database changes, and command-line work in places. If you’re not comfortable with this, hire a WordPress security professional. The cost of a botched cleanup is usually higher than paying someone to do it right. A bad cleanup that leaves even small remnants of malicious code often results in reinfection within days.
If you’re handling it yourself, here are the steps.
Step 1: Back up your site
Before changing anything, take a full backup of your site as it currently exists, infected or not. Kadence Security can do this automatically. If you’re working manually, back up both the file system (via FTP) and the database (via phpMyAdmin or a backup plugin).
You want the backup for two reasons: in case you accidentally break something during cleanup, and in case you need to compare the infected version against a clean version later.
Step 2: Run a full security scan
A WordPress security plugin with site scanning will identify most known vulnerabilities and malware signatures. The scan will flag suspicious files, outdated plugins with known vulnerabilities, and any modified core files. Note the results before doing anything else, since you’ll want a reference point to compare against once cleanup is complete.
Step 3: Identify and remove infected files
Go to your /wp-content/ folder via SFTP or your hosting provider’s File Manager. Look for files that don’t belong: unfamiliar PHP files, files with unusual names like .cache, .class, or .old (which attackers use to disguise malicious files as legitimate plugin files), and recently modified files in folders you haven’t touched.
Pay particular attention to:
- The folder:
/wp-content/uploads/. This shouldn’t contain PHP files at all. Any PHP file here is almost always malicious. - Folder:
/wp-content/plugins/. Look for plugins you don’t recognize or didn’t install. - The folder:
/wp-content/themes/. Check your active theme’sfunctions.phpfor unfamiliar code, especially near the top or bottom of the file.
When in doubt, replace plugin and theme files with fresh copies downloaded from WordPress.org or the original developer.
Step 4: Clean your .htaccess file
The .htaccess file in your WordPress root directory controls server-level rewrites and redirects. Attackers love it because they can hijack search engine traffic through it. Open the file and look for unexpected rewrite rules.
A typical SEO spam .htaccess injection looks something like this:
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ somehackfile.php?$1 [L]What this code does: it checks whether the visitor is a search engine crawler or arrived from a search result. If so, it redirects them to an attacker-controlled file (somehackfile.php). Regular visitors see your normal site. Search engines see whatever the attacker wants them to see. This is classic cloaking.
To clean it, delete any rewrite rules you don’t recognize. If you’re not sure which rules are legitimate, rename your current .htaccess to .htaccess.old, then go to your WordPress dashboard, go to Settings > Permalinks, and click Save Changes. WordPress will regenerate a clean .htaccess file.
Step 5: Check your database for injected content
Connect to your database through phpMyAdmin (most hosting control panels include this) and look for injected content in two places:
The wp_posts table. Search for suspicious content in your existing posts, especially tags, base64-encoded strings, or links to unfamiliar domains. Pay attention to posts with statuses you didn’t set or authors you don’t recognize.
The wp_options table. Look for unusual entries, particularly anything that contains JavaScript or links to external sites. The siteurl and home values should both match your actual domain.
Code injected to hide its purpose often uses base64 encoding. A URL like aGFja2VyZG9tYWluLmNvbQ== is base64 for hackerdomain.com. If you see base64 strings in places that shouldn’t contain them, that’s a red flag worth investigating.
Step 6: Search for base64 encodings across files
If you have SSH access to your server (or you’ve downloaded your site files locally), you can find base64-encoded content across all PHP files with this command:
find . -name "*.php" -exec grep -l "base64" {} \; > b64-detections.txtThis searches every PHP file in the current directory and below for any reference to “base64” and saves the results to b64-detections.txt. Not every match is malicious (some plugins use base64 legitimately), but the output gives you a starting list of files to review.
Step 7: Remove unauthorized users
Go to Users > All Users in your WordPress dashboard and delete any user accounts you don’t recognize. Pay particular attention to admin and editor accounts. Some 2025 backdoor variants recreate deleted admin accounts automatically, so monitor your user list for the next few days after cleanup.
Step 8: Update everything
Update WordPress core, every plugin, and every theme to the latest version. Most successful SEO spam attacks exploit known vulnerabilities that have patches available. Updating closes the door behind you.
Step 9: Reset all credentials
Change passwords for every admin account, your database user, your hosting account, and your FTP credentials. Use strong, unique passwords for each one. If you weren’t using a password manager before, now is the time to start.
Step 10: Scan again
Run a second full security scan once cleanup is complete. Compare the results against your pre-cleanup scan. If new issues appear that weren’t there before, you may have introduced something during the cleanup process or missed an injection. If old issues are still there, repeat the relevant steps until the scan comes back clean.
Step 11: Request a Google review
If your site was flagged in Google Search Console, submit a reconsideration request once cleanup is complete. Include a brief description of what happened, what you removed, and what you’re doing to prevent it from happening again. Google typically responds within a few days.
How to prevent SEO spam attacks
Prevention is significantly cheaper than cleanup. The fundamentals matter more than any single advanced technique.
Keep WordPress, themes, and plugins updated
Most successful SEO spam attacks exploit known vulnerabilities with available patches. Keep everything up to date, ideally with auto-updates enabled for security releases. The Patchstack 2026 report found that the median time between a vulnerability becoming public and being exploited is measured in hours, so the speed of your updates matters.
Use strong, unique passwords and 2FA
Strong passwords stop brute force attacks compared to weak passwords. Two-factor authentication stops credential-stuffing attacks that strong passwords alone can’t prevent. Every admin account should have both.
Install a WordPress security plugin
A security plugin gives you ongoing scanning, firewall protection, and login security in one place. Kadence Security covers all of these alongside the other parts of WordPress security mentioned below.
How Kadence Security handles SEO spam protection
Kadence Security is built to handle the full set of protections above in a single plugin, which avoids the conflicts you can get from stacking three or four separate security tools.
For SEO spam specifically, the relevant features include:
- A real-time firewall that filters suspicious traffic before it reaches WordPress, blocking common SEO spam injection attempts at the perimeter.
- Patchstack virtual patching that protects against vulnerable plugin and themes even before official patches are released, drawing on Patchstack’s vulnerability intelligence database.
- Brute force protection that limits login attempts and blocks repeat offenders automatically.
- Two-factor authentication built into the plugin for every account that needs it.
- A security dashboard that shows threats, blocked attacks, and any suspicious activity in one place.
Use SSL and choose secure hosting
SSL certificates encrypt traffic between visitors and your server, which protects against several attack types (including session hijacking that can lead to compromised admin accounts). Your hosting provider’s security posture also matters. Managed WordPress hosting handles server hardening, network-level rate limiting, and infrastructure-layer security so you’re not relying entirely on application-layer plugins.
Run regular backups
Automated daily backups (with off-site storage) give you a quick path back if something goes wrong. Backups don’t prevent attacks, but they turn a potential disaster into a manageable inconvenience.
Limit administrator access
Every user with admin access is another potential attack vector. Limit admin accounts to the smallest number that actually need them. Anyone who only needs publishing access should get the editor or author role instead of full site control.
Audit your site regularly
Even with prevention measures in place, regular check-ins catch problems early. Look at Google Search Console once a week. Review your user list once a month. Run a security scan once a quarter at minimum. The earlier you catch a problem, the cheaper it is to clean up.
Protect your site from SEO spam
SEO spam is one of the more damaging forms of WordPress attack because the consequences keep compounding while you’re trying to figure out what went wrong. Your rankings drop. Your traffic dries up. Your reputation suffers. All of this happens while the attacker continues using your domain to rank their own content.
The good news is that prevention is straightforward. Updates, strong passwords, two-factor authentication, a security plugin, and reliable hosting cover the vast majority of attack vectors. The work to set this up is small. The work to recover from a serious infection is not.
For WordPress sites, the combination of Kadence Security at the site level and Liquid Web’s managed WordPress hosting as the hosting layer stops most SEO spam attempts before they start.
Additional resources
Easy SEO for WordPress: 7 things to try →
The goal of SEO is to get more people to find your website through search engines, and thus drive more traffic to your website.
Three ways to get Google Analytics connected to your WordPress site →
Keep reading to discover the three ways to connect WordPress and Google Analytics.
Best SEO plugins for WooCommerce sites →
In this article, we’re going to talk about the two best WordPress plugins for improving SEO on WooCommerce sites.
Alexis Wisniewski is an Organic SEO Manager at Liquid Web. She has been leading SEO, primarily for technology brands, since 2013, specializing in SEO content and strategy. When she’s not reading and writing online, she’s usually reading and writing offline, or spending time with her family in the Chicagoland suburbs.