911 Hack Removal

Magento, OpenCart, Prestashop & PHP Website Infected with Black Hat SEO Spam?

Updated on: October 26, 2023

Magento, OpenCart, Prestashop & PHP Website Infected with Black Hat SEO Spam?

Lately, hackers are beginning to take advantage of your hard earned SEO techniques to get visibility for their spam websites through the better rankings on your website. This is Black Hat SEO Spam, or SEO Poisoning in Magento, Opencart & Prestashop. This article discusses all of these attacks with their symptoms, causes, outcomes, and steps to fix them.

Types of Black Hat SEO Spam Attacks

Japanese Keyword Hack

Also known as the Japanese Keyword Hack, this illegal Black Hat SEO Spam is quite prevalent recently. Hackers place auto-generated links in Japanese text in your websites which have been developed using Content Management Systems like Prestashop, OpenCart, Magento, Drupal and WordPress. Search engine results for your website may look like this:

Japanese Keyword Hack Black Hat SEO Spam

So when someone visits your website and clicks such links, they’re redirected to an affiliate website which sells fake brand merchandise and apparel. More on that in this article

Gibberish Keywords Hack

In the Gibberish Keywords Hack, the hacker adds spam pages filled with keyword-rich gibberish text, with the corresponding links to your site. Sometimes these pages also contain images to manipulate search engines and increase the ranking and traffic of the pages in Google search. 

On visiting these hacked pages, the visitor will be redirected to an unrelated page, such as a fake merchandise site. Hackers generate revenue when people visit these spam pages.

A redirected spam page generally would look like this:

Gibberish Text Page

Also, like in the Japanese Keyword Hack, hackers often use cloaking to make it harder for the site owner to detect whether the website has been infected or not. 

Pharma Hack

A third common type of Black Hat SEO spam is the Pharma Hack. In this, the attacker exploits vulnerable websites to distribute pharmaceutical products to the site’s visitors via your website. Symptoms of a pharma hack include embedded links and spam text on pages or modified lists in Search Engine Results Pages (SERPs). 

These attacks generally target popular search engines like Google or Bing in an attempt to increase traffic to illegal pharmaceutical businesses. They also generally add fake titles and descriptions to make the links seem relevant. The search results generally look like this:

Google Viagra hack screenshot

You can read more about the Pharma hack here.

Detecting Black Hat SEO Spam

1. Using Google Search

You can uncover spam pages by searching for site:[your site root URL] japan. If you see search results full of Japanese text, your site may be affected by the Japanese Keyword Hack.

You can also look for specific keywords to find Gibberish Keyword pages, or for pharmaceutical products to find Pharma Hack pages.

detecting the hack

Like in the above image, if you find suspicious content – here, the main domain of the website is .co.uk but the pharma products are shipped from Canada – it may be an indicator your site was hacked.

2. Using Google Search Console

In your Google Search Console/Google Webmaster Tools, navigate to the Security Issues Tool in the left sidebar. If your site was modified by the hacker, you can find out about it on this page. You may see a message like this:

3. Using the “Fetch as Google” Tool

If you’ve performed the above two steps and see a 404: Page not Found Error, then it’s a good idea to check for cloaking by entering your site’s URLs in the Fetch as Google tool. (Cloaking is a technique that enables hackers to display the gibberish/spam URLs or content to the users and search engines, while to the site owner it may show an HTTP 404-page error.) If the hacker attacked your site, you may see anomalous results. 

4. Using your sitemap

Check your website’s sitemap to see if there are any new suspicious links created by the hacker which helps to index their pages faster. If you see suspicious pages, then your site may have been hacked!

Infected with Black Hat SEO Spam? Drop us a message on the chat widget and we’d be happy to help you. Fix SEO poisoning now.

Effects of Black Hat SEO Spam

  • The Japanese Keyword Hack, and Black Hat SEO Spam techniques in general impact your SEO negatively. This can impact the traffic and revenue for your website.
  • Google may begin showing a “this site may be hacked” or “deceptive site” warning. This may lead to your website getting blacklisted by Google.
  • If your site is an e-commerce site, your users might question the security of your checkout process and their payment information, leading to a drop in your sales.
  • Google or Bing only serve relevant links, so they would root out any site that accepts payments for backlinks. The fake links make it look like your site is doing that, so your traffic and revenue would be impacted.
  • Having spam on your website negatively affects your reputation. The effort that goes into rebuilding a connection with your website’s visitors is huge.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

Fixing Black Hat SEO Spam

1. Take a backup of your site before cleaning.

It’s advisable to the website offline so that users don’t visit the infected pages while you’re cleaning it. Make sure to take a backup of all the core files and databases. Make sure to take the backup in a compressed file format, like .zip.

2. Remove any newly created accounts from the Google Search Console.

If you don’t recognise any accounts or users in your site’s Google search console, then immediately remove them. Hackers often add such spam admin accounts so that they can change your site’s settings.

3. Check your site’s .htaccess files.

Hackers often use the .htaccess files to redirect users & search engines to malicious pages. If you have a backup of your site, you can use that version to verify the contents of the .htaccess file. If you find any suspicious code, remove it or comment it out.

4. Replace the core, plugin, and theme files.

You can replace the infected core files with the original versions of the same from reputable sources. After downloading the fresh and updated versions of these files & directories, you can delete the older ones.

5. Delete any suspicious, recently modified files. 

You might find potentially infected files by looking at the ones which were recently modified. Remove any infected files by deleting them via terminal or an FTP client. If even after this action, the malware keeps popping up in search results, then that would mean that a backdoor was installed by the hacker in your database.

6. Check for keywords. 

Hackers can also use names similar to existing keywords so that they can add these malicious files to the server. For example:

<meta name="description" content="{keyword}" />
<meta name="keywords" content="{keyword}" />
<meta property="og:title" content="{keyword}" />
<div style="position: absolute; top: -1000px; left: -1000px;">Cheap prescription drugs </div>

Here the word “keywords” is being replaced with “keyword”. Make sure to check for such keywords and remove the malicious code.

7. Remove the backdoor.

Generally, hackers include a backdoor into the header.php file to make the malicious code execute every time a public website page is requested. This is mainly done to spam the search engine crawlers using our website. It will also recreate the wp-page.php as a “delete protection” feature. After removing the above files and the include function in the header.php, we can ensure that the spam results will be deleted from our SERPs.

8. Run a malware scan.

Run a malware scan on your web server for malware and malicious files. You can use the ‘Virus Scanner’ tool in the cPanel provided by your web host, or get expert malware cleanup with the Astra Pro Plan.

9. Verify the cleanup. 

After cleaning up your malware, a good way to verify that the malware is fully gone is to make Google recrawl your entire website. To do so log into your Google Search Console and go to Crawl > Fetch as Google. From here, type/find the location of your affected URLs, then click the Reindex button. If it returns a “Not Found” page, you’ve finally cleaned your site!

Experience Astra Web Protection Yourself With Our 7 Day Free Trial!

Astra stops 7 million+ nasty attacks every month! Secure your site with Astra before it is too late.

Black Hat SEO Spam: Conclusion

Cyber attacks are horrible – but their after-effects are more so. Our studies showed that even if you’re prompt in recovering your website from such attacks, your SEO takes a hit.

Your website needs credibility and security to attract customers – and spam can be devastating in that context. A hacker doesn’t worry about the size of your website, so your site is always at risk of getting infected.

If you do not wish to face such issues, consider investing in proactive website protection and maintain a standard security routine for your website. Firewalls and security plugins are tested solutions that go a long way in keeping your websites protected. This way, you never have to worry about getting hacked again!

About Astra

At Astra, we have a team of security experts who on a daily basis help website owners and developers to secure their website from attackers. Our intelligent firewall provides real-time 24×7 security against bad bots, hackers, malware, XSS, SQLi and 80+ attacks. Astra Firewall is highly customized for Prestashop, OpenCart & Magento to give all-around security to your E-commerce store. Take an Astra Demo now!

Tags: , , , ,

Rohan Roy

An IT engineer and a cyber security enthusiast, I research on bugs and flaws in Content Management Systems like Drupal and WordPress and discovering how to remove them.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Thee Bazaar
4 years ago

amazing articles looking forward to more informative blogs.

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany