911 Hack Removal

How to Effectively Remove WordPress SEO Spam Results from Google Search

Updated on: August 31, 2020

How to Effectively Remove WordPress SEO Spam Results from Google Search

Is your WordPress website generating spam results on Google? You might have fallen prey to SEO Spam malware! This WordPress SEO Spam malware creates junk pages on your website that get redirected to other malicious web-pages, which often goes unnoticed. The most common variants of this attack are Japanese SEO SpamWordPress Pharma attack & Spam links. Read on to know how to find and fix it.

This malware’s intentions are pretty clear. It uses your reputable site and redirects visitors to hacker-controlled domains. While Blackhat SEO spam removal is widespread, it can be tricky! It’s a great idea to get professional help – let Astra’s security experts help you here. For removal techniques you can attempt on your own, read on.

How To Find The WordPress SEO Spam Hack

To find if your website is affected by WordPress SEO Spam, you need to check for the following symptoms:

1. Searching site:[your site root URL] displays spam results

The easiest way to find out if your WordPress site is affected with SEO spam malware is to conduct a simple Google search. You need to type site: followed by your domain name. On navigating through the search results, you might notice meaningless word junctions appended to your domain name. The malware is designed to divert Google searches away from your site towards malicious sites.

For example, if you notice the above instance, your website is probably infected. The screenshot above is a site infected with the infamous Japanese SEO Spam.

If you observe any of the following symptoms on your WordPress website, you’re most likely to have been infected by the WordPress SEO Spam hack.

2. You notice new files appearing around your site

All websites affected by this WordPress SEO Spam malware had one thing in common: suspicious new files. The attackers usually tend to create a directory in wp-content/plugins/api-key with the files:

  • apikey.php
  • header.php
  • login.php
  • newsleter.php
  • wp-layouts.php
  • wp-nav-menus.php

Most often, these files contain critical malware code.

Some other files that are often created in the WordPress root directory with malicious code are:

  • wp-domain.php
  • wp-main.php
  • wp-uti.php
  • wp.php

Anohter example of this symptom is a file named ms-menu.php, which is usually created in the /wp-admin directory.

3. You perform primitive malware identification

WordPress SEO Spam malware is almost entirely dependent upon the host website to function properly. It executes itself every time a page refreshes or loads. It makes sure that WordPress functionalities are always up and running. In case the WordPress website breaks/crashes, the malicious code will not be executed. It also supports various factors where the attacker can remotely update and rectify the website if needed. The WordPress Spam cryptoware also establishes the backup files in case of aborted updates.

One of the other features of WordPress SEO Spam malware is the ability to identify and remove primitive malware present on the host WordPress website to avoid any suspicions from the website administrator. Following is a code snippet example of the WordPress Spam Malware eliminating competition:

if (is_file("$level" . "index.php")) {
	$ind = file_get_contents("$level" . "index.php");
	if (filesoze("$level" . "$index.pho"). 'hacked')
	OR stripos(file_get_contents("$level" . "index.php"). 'hacked')
	OR stripos($ind, 'WARING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited')
	OR stripos($ind, 'form action="" method="post"></form')
	OR stripos($ind, 'eval(gzuncompress(')
	OR stripos($ind, 'WARN1NG_RC')) {
		chmod("$level" . "index.php", 0777);
		unlink("$level" . "index.php");

4. You notice your Google AdWords being disabled

Due to the widespread use of ads on the internet these days, they have become an easy way for hackers to direct users to compromised/malicious websites. This has forced advertisement networks such as Google AdWords to have stringent policy upgrades to avoid the spread of malware through hacked websites. Google AdWords regularly scans websites for hacked content & suspends ads running for hacked websites.

A few easily noticeable symptoms are warnings shown by Google on your AdWords being suspended. If you find any of these, you might be affected:

  • Malicious or unwanted software. See what Google (here) itself has to say!
  • Our system randomly and periodically scans the website and checks if the website complies with the Google policy. Therefore, recently your website was scanned and the most recent system scan detected that this advertiser’s primary declared landing page is affected by an unsafe domain [domain .com]

To have a clear understanding and how to fix disapproved Google AdWords read our detailed blog post.

Finding Spam Links

To cure your website of the spam links, you need to do a thorough analysis of your files and databases. Here is how you can go about that:

1. Scan files for spam links

Search these files for spam links: theme headers, footers, or within the theme functions. Usually, the links are easily visible as hypertext links. However, in rare cases, they might be obfuscated too. Find the unknown, malicious links.

For instance, this is what a malicious link looks like:

<?php NorebroLayout::get_footer_buffer_content( true ); echo "<a href=\"http://www.authenticjetshockeyshop.com/mark-scheifele-jersey_c-422.html\"> </a>&nbsp;"; wp_footer();  ?>

Sometimes it is hard to tell if spam links have been inserted. In such a case, it is advised you get professional help.

2. Scan the database

Another target for spam links insertion is the database. So, you would need to scan the database as well for spammy links. Often spam links are inserted into your web pages & posts. Now, reviewing all the pages manually can be too tedious a task. So, here is how you can do this:

  • Access your database with phpmyadmin. phpmyadmin allows you to review multiple pages at a time.
  • Review pages and posts.
  • If you do find malicious links download the pages/posts locally and clean them.
  • Next, upload it back with the help of a SQL management tool. This step might need some SQL expertise.

Fixing the WordPress Blackhat SEO Spam Hack

By following the steps given below the WordPress Spam Malware can be removed from the host website:

  • Removing the malicious new files created by the malware as mentioned in the above sections.
  • Checking your Google Webmasters account for any disparities, following our detailed guide to resolve them.
  • Scanning your website for malware and other infections/
  • Check which websites have outbound links to your site, from the Google Webmasters panel

How Japanese SEO Spam affects Your Website Traffic & SEO?

We know hacks leave your website in wrecks. Even after doing a proper hack removal, the intangible effects often last longer. Recovering your website from these after-effects takes a great deal of effort. The intangible effects include decreased website traffic, drop in Google rankings, hit on the brand reputation, dampened customer inflow, etc. 

To measure how badly such hacks affect websites, we conducted a study. We monitored an infected website for days after the cleanup to see how they perform.

This is what we found:

The following analytics show website traffic for a year. Notice the drop in the traffic in later months.

WordPress SEO Spam

This is the website’s data in August this year when it was not hacked. Total clicks are 20.3k, impressions 254k, Average CTR 8%, Average position 15.

We compared this to the data of the month it was hacked. See the dip in the following picture. Total clicks dropped to 11.8k, Impressions reduced to 207k, Average CTR was 5.7% and the position was pushed down to 16.6.

When we narrowed down to the days the website was hacked, this is what we found. From November 8, 2019, to November 15, 2019, the average CTR dropped to 4.4% from the original 8%. Similarly, other aspects of the website also felt a dip.

It is quite clear that the consequences of Japanese SEO spams are huge. More so on your website’s traffic and SEO. Pulling a website of a hack after trauma takes constant effort prolonged for a period.

Obviously, you do not want to land in such a situation. Yes, you can totally avoid these scary-looking consequences by being a little vigilant for these attacks. The next segment will tell you how.

How to Prevent WordPress Blackhat SEO Spam Hack

The most convenient option out there to prevent the WordPress Spam Malware infections is to use a Website Firewall, like Astra. Astra Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website.

Take Astra Demo now to see how Astra works.

Have a specific question to ask? Shoot in the comment box or talk with security experts. We promise to reply 🙂

Was this post helpful?

Tags: , , ,

Abhi Chitkara

Abhi Chitkara is the Product Manager at Astra. He formerly worked as a security analyst at PwC. He is well versed in Information Security ISO Audits, Project Management, and VAPT. Abhi also actively participates in bug bounty programs and CTF's. He is currently the captain of a CTF team ranked in the top 100 CTF teams of India. Apart from his hacking skills, Abhi is also a superb product manager & shares the company's vision towards greatness. Personally, he is a huge basketball fan and loves to binge-watch Brooklyn nine-nine.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
2 years ago

I was searching for this on how to reduce the spam, its really hard to run a blog with all these spams. Thanks for this helpful post

1 year ago

In fact, it’s hard to do that.

Naman Rastogi
1 year ago

Yes, it is bit complicated to remove malware in case of SEO spam. Also, you need to submit links to Google search console regularly to fix it.

1 year ago

thanks, spam has been an issue for me. I tried many plugins but none work properly

Naman Rastogi
1 year ago
Reply to  Vicky

Hi Vicky,

Spam is one of the most common issues. Here are a few steps that you can follow to minimize it –

1) Use hidden CAPTCHA in your forms
2) Block the countries that are not relevant from your business
3) Implement firewall that checks the IPs (fake bing/google bots & scrapping IPs) & block them

Here is the feature list of Astra firewall – getastra.com/features

SEO Executor
SEO Executor
1 year ago

And it totally doesn’t help that SEO changes like….every week it feels like haha — but yes, I would absolutely focus on titles and meta descriptions at the very least

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany