Is your website generating spam results on Google? You might have fallen prey to the SEO spam malware.

This WordPress Spam malware creates junk pages on your website that get redirected to other malicious web-pages. Often this goes unnoticed by the naked eye. The most common variants of this attack are Japanese SEO SpamWordPress Pharma attack & Spam links.

This malware’s intentions are pretty clear. It redirects visitors to hacker-controlled domains.

I agree a Blackhat SEO spam removal can be tricky, so let Astra security experts help you here. For the self-served removal techniques, read on.

Symptoms of the WordPress Blackhat SEO Spam Hack:

A few common symptoms of this WordPress Spam malware are:

Searching site:[your site root URL]displays spam results

On navigating through the search results, you might notice meaningless word junctions appended to your domain name. The malware is designed to divert google searches towards them.

If you notice the above instance, your website is probably infected. A similar case of Malware Spam was observed with the Japanese SEO Spam.

If you observe any of the following symptoms on your WordPress website, you’re most likely to be infected by the WordPress Spam hack.

WordPress Blackhat SEO Spam Hack: Appearance of new files

All the WordPress Websites affected by this WordPress Spam malware had this in common. The attackers usually tend to create a directory in wp-content/plugins/api-key with the files:

  • apikey.php
  • header.php
  • login.php
  • newsleter.php
  • wp-layouts.php
  • wp-nav-menus.php

Most often these files contained critical malware code.

Other files created in the WordPress root directory with malicious code were:

  • wp-domain.php
  • wp-main.php
  • wp-uti.php
  • wp.php

One more example of this symptom is a file named ms-menu.php which is created in /wp-admin directory.

Fix Blackhat SEO spam in WordPress

WordPress Blackhat SEO Spam Hack: Primitive malware identification

The WordPress Spam malware is entirely dependent upon the host website to function properly. It executes itself on each page refreshes/loads. It makes sure that WordPress functionalities are always up and running. In case the WordPress website breaks/crashes, the malicious code will not be executed.

It also supports various factors where the attacker can remotely update and rectify the website if needed. The WordPress Spam cryptoware also establishes the backup files in case of aborted updates.

One of the other features is the ability to identify, remove primitive malware present on the host WordPress website to avoid any suspicions from the website administrator.

Following is a code snippet example of the WordPress Spam Malware eliminating competition:

if (is_file("$level" . "index.php")) {
	$ind = file_get_contents("$level" . "index.php");
	if (filesoze("$level" . "$index.pho"). 'hacked')
	OR stripos(file_get_contents("$level" . "index.php"). 'hacked')
	OR stripos($ind, 'WARING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited')
	OR stripos($ind, 'form action="" method="post"></form')
	OR stripos($ind, 'eval(gzuncompress(')
	OR stripos($ind, 'WARN1NG_RC')) {
		chmod("$level" . "index.php", 0777);
		unlink("$level" . "index.php");

WordPress Blackhat SEO Spam Hack: Google AdWords being disabled

Due to the widespread use of ads on the internet these days, they have become an easy way for hackers to direct users to compromised/malicious websites. This has forced advertisement networks such as Google AdWords to have stringent policy upgrades to avoid the spread of malware through hacked websites. Google AdWords regularly scans websites for hacked content & suspends ads running for hacked websites.

A few things easily noticeable are:

    • Warnings shown by Google on your AdWords being suspended:
      • Malicious or unwanted software. See what Google (here) itself has to say!
      • Our system randomly and periodically scans the website and checks if the website complies with the Google policy. Therefore, recently your website was scanned and the most recent system scan detected that this advertiser’s primary declared landing page is affected by an unsafe domain [domain .com]

To have a clear understanding and how to fix disapproved Google AdWords read our detailed blog post.

Finding Spam Links

To cure your website of the spam links, you need to do a thorough analysis of your files and databases. Here is how you can go about that.

Scan files for spam links

Search these files for spam links: theme headers, footers, or within the theme functions. Usually, the links are easily visible as hypertext links. However, in rare cases, they might be obfuscated too. Find the unknown, malicious links.

For instance, this is how a malicious link looks like:

<?php NorebroLayout::get_footer_buffer_content( true ); echo "<a href=\"\"> </a>&nbsp;"; wp_footer();  ?>

Sometimes it is hard to tell spam links insertion. In that case, get professional help.

Scan the database

Another target for spam links insertion is the database. So, you would need to scan the database as well for spammy links. Often spam links are inserted into your web pages & posts. Now, reviewing all the pages manually can be too tedious a task. So, here is how you can do this:

  • Access your database with phpmyadmin. phpmyadmin allows you to review multiple pages at a time.
  • Review pages and posts.
  • If you do find malicious links download the pages/posts locally and clean them.
  • Next, upload it back with the help of a SQL management tool. This step might need some SQL expertise.

Fixing the WordPress Blackhat SEO Spam Hack

By following the steps given below the WordPress Spam Malware can be removed from the host website:

  • Removing the malicious new files created by the malware as mentioned in the above sections.
  • Checking your Google Webmasters account for any disparities, following our detailed guide to resolve them.
  • Scanning your website for malware and other infections/
  • Check which websites have outbound links to your site, from the Google Webmasters panel

How Japanese SEO Spam affects Your Website Traffic & SEO?

We know hacks leave your website in wrecks. Even after doing a proper hack removal, the intangible effects often last longer. Recovering your website from these after-effects takes a great deal of effort. The intangible effects include decreased website traffic, drop in Google rankings, hit on the brand reputation, dampened customer inflow, etc. 

To measure how badly such hacks affect websites, we conducted a study. We monitored an infected website for days after the cleanup to see how they perform.

This is what we found:

The following analytics show website traffic for a year. Notice the drop in the traffic in later months.

This is the website’s data in August this year when it was not hacked. Total clicks are 20.3k, impressions 254k, Average CTR 8%, Average position 15.

We compared this to the data of the month it was hacked. See the dip in the following picture. Total clicks dropped to 11.8k, Impressions reduced to 207k, Average CTR was 5.7% and the position was pushed down to 16.6.

When we narrowed down to the days the website was hacked, this is what we found. From November 8, 2019, to November 15, 2019, the average CTR dropped to 4.4% from the original 8%. Similarly, other aspects of the website also felt a dip.

It is quite clear that the consequences of Japanese SEO spams are huge. More so on your website’s traffic and SEO. Pulling a website of a hack after trauma takes constant effort prolonged for a period.

Obviously, you do not want to land in such a situation. Yes, you can totally avoid these scary-looking consequences by being a little vigilant for these attacks. The next segment will tell you how.

How to Prevent WordPress Blackhat SEO Spam Hack

The most convenient option out there to prevent the WordPress Spam Malware infections is to use a Website Firewall, like Astra. Astra Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website.

Take Astra Demo now to see how Astra works.

Have a specific question to ask? Shoot in the comment box or talk with security experts. We promise to reply 🙂

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Abhi Chitkara

Abhi is a web security aficionado, when he is not securing websites by his sheer awesomeness, he is probably binge watching Brooklyn Nine-Nine.

About The Author

Ankit Pahuja
Ankit Pahuja

Ankit is a Web security analyst at Astra. He secures systems, hacks google search rankings, does some Web, and a bit of poetry!


  1. I was searching for this on how to reduce the spam, its really hard to run a blog with all these spams. Thanks for this helpful post

  2. In fact, it’s hard to do that.

    • Naman Rastogi

      Yes, it is bit complicated to remove malware in case of SEO spam. Also, you need to submit links to Google search console regularly to fix it.

  3. thanks, spam has been an issue for me. I tried many plugins but none work properly

    • Naman Rastogi

      Hi Vicky,

      Spam is one of the most common issues. Here are a few steps that you can follow to minimize it –

      1) Use hidden CAPTCHA in your forms
      2) Block the countries that are not relevant from your business
      3) Implement firewall that checks the IPs (fake bing/google bots & scrapping IPs) & block them

      Here is the feature list of Astra firewall –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner