Wordpress Spam Results Google Search

Over the past few months, a new type of seasoned malware injection has surfaced on the internet, this malware’s intentions are pretty clear. It generates Spam Search Results when someone Googles about your WordPress website. The most common attacks are Japanese SEO SpamWordPress Pharma attack & Spam links. This WordPress Spam malware creates junk pages on your website that get redirected to other malicious web-pages, many times going unnoticed by the naked eye.

Symptoms of the WordPress Blackhat SEO Spam Hack:

A few common symptoms of this WordPress Spam malware are:

On searching; site:[your site root URL]

On navigating through the search results, you might notice meaningless word junctions appended to your domain name. The malware is designed to divert google searches towards them.

If you notice any of the above instances, your website is probably infected. A similar case of Malware Spam was observed with the Japanese SEO Spam.

If you observe any of the following symptoms on your WordPress website, you’re most likely to be infected by the WordPress Spam hack.

WordPress Blackhat SEO Spam Hack: Creation of new internal files containing malicious code

All the WordPress Websites affected by this WordPress Spam malware had this in common. The attackers usually tend to create a directory in wp-content/plugins/api-key with the files:

apikey.php
header.php
login.php
newsleter.php
wp-layouts.php
wp-nav-menus.php

which contained critical malware code.

There were also other files that are created in the WordPress root directory with malicious code:

wp-domain.php
wp-main.php
wp-uti.php
wp.php

One more example of this symptom is a file named ms-menu.php which is created in /wp-admin directory.

WordPress Blackhat SEO Spam Hack: Primitive malware identification, removal, and Maintenance of core WordPress functionalities.

Since the WordPress Spam malware is entirely dependant upon the host website to function properly and executes itself on page refreshes/loads. It makes sure that the WordPress functionalities are always up and running in case the WordPress website breaks/crashes the malicious code will not be executed.

It also supports various factors where the attacker can remotely update and rectify the website if needed. The WordPress Spam cryptoware also establishes the backup files in case of aborted updates.

One of the other features is the ability to identify, remove primitive malware present on the host WordPress website to avoid any suspicions from the website administrator.

Following is a code snippet example of the WordPress Spam Malware eliminating competition:

if (is_file("$level" . "index.php")) {
	$ind = file_get_contents("$level" . "index.php");
	if (filesoze("$level" . "$index.pho"). 'hacked')
	OR stripos(file_get_contents("$level" . "index.php"). 'hacked')
	OR stripos($ind, 'WARING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited')
	OR stripos($ind, 'form action="" method="post"></form')
	OR stripos($ind, 'eval(gzuncompress(')
	OR stripos($ind, 'WARN1NG_RC')) {
		chmod("$level" . "index.php", 0777);
		unlink("$level" . "index.php");
	}
}

WordPress Blackhat SEO Spam Hack: Google AdWords being disabled due to the occurrence of malware on a website:

Due to the widespread use of ads on the internet these days, they have become an easy way for hackers to direct users to compromised/malicious websites. This has forced advertisement networks such as Google AdWords to have stringent policy upgrades to avoid the spread of malware through hacked websites. Google AdWords regularly scans websites for hacked content & suspends ads running for hacked websites.

A few things easily noticeable are:

    • Warnings shown by Google on your AdWords being suspended:
      • Malicious or unwanted software. See what Google (here) itself has to say!
      • Our system randomly and periodically scans the website and checks if the website complies with the Google policy. Therefore, recently your website was scanned and the most recent system scan detected that this advertiser’s primary declared landing page is affected by an unsafe domain [domain .com]

To have a clear understanding and how to fix disapproved Google AdWords read our detailed blog post.

Fixing the WordPress Blackhat SEO Spam Hack

By following the steps given below the WordPress Spam Malware can be removed from the host website:

    • Removing the malicious new files created by the malware as mentioned in the above sections.
    • Checking your Google Webmasters account for any disparities, following our detailed guide to resolve them.
    • Scanning your website for malware and other infections/
    • Check which websites have outbound links to your site, from the Google Webmasters panel

How to Prevent WordPress Blackhat SEO Spam Hack

Another option available at your disposal to prevent the WordPress Spam Malware infections is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website.

Take Astra Demo now.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Abhi Chitkara

Abhi is a web security aficionado, when he is not securing websites by his sheer awesomeness, he is probably binge watching Brooklyn Nine-Nine.

About The Author

Ankit Pahuja
Ankit Pahuja

Ankit is a Web security analyst at Astra. He secures systems, hacks google search rankings, does some Web, and a bit of poetry!

1 Comment

  1. I was searching for this on how to reduce the spam, its really hard to run a blog with all these spams. Thanks for this helpful post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close