Is your WordPress website generating spam results on Google? Yes? Then you might have fallen prey to SEO Spam malware! This WordPress SEO Spam malware creates junk pages on your website that get redirected to other malicious web pages, which often goes unnoticed by the website owners. The most common variants of this attack are Korean SEO Spam & Spam link injection. Read on to know how to find and fix it.
In 2021, WordPress powers 41.7% sites on the Internet. And the adoption of WordPress CMS is not stopping among small and medium sized businesses. However, this increasing trend is also inviting hackers to hack into the sites and promote their motives. WordPress SEO Spam is also one of these hacks where the hackers typically target well-established WordPress sites that have high traffic and good search engine rankings and use these compromised websites to rank their own illegal products and services on search engines.
Malware hacks such as WordPress SEO Spam are similar to the WordPress Pharma Hack. These kinds of hacks use your reputable site and redirect its visitors to the hacker-controlled domains. While Blackhat SEO spam removal is widespread, it can be very tricky!
Do Google or Bing show weird search results for your website? Find out in 15 seconds.
In this guide, we’ll discussing how to prevent, find and fix WordPress SEO Spam hack. So, let’s dig in!
How To Find the WordPress SEO Spam Hack?
To find if your website is affected by WordPress SEO Spam, you need to check for the following symptoms:
1. Searching site:[your site root URL] displays spam results
The easiest way to find out if your WordPress site is affected with SEO spam malware is to conduct a simple Google search. You need to type site: followed by your domain name. On navigating through the search results, you might notice meaningless word junctions appended to your domain name. The malware is designed to divert Google searches away from your site towards malicious sites.
For example, if you notice the above instance, your website is probably infected. The screenshot above is a site infected with the infamous Japanese SEO Spam.
If you observe any of the following symptoms on your WordPress website, you’re most likely to have been infected by the WordPress SEO Spam hack.
2. You notice new files appearing around your site
All websites affected by this WordPress SEO Spam malware had one thing in common: suspicious new files. The attackers usually tend to create a directory in wp-content/plugins/api-key with the files:
- apikey.php
- header.php
- login.php
- newsleter.php
- wp-layouts.php
- wp-nav-menus.php
Most often, these files contain critical malware code.
Some other files that are often created in the WordPress root directory with malicious code are:
- wp-domain.php
- wp-main.php
- wp-uti.php
- wp.php
Anohter example of this symptom is a file named ms-menu.php, which is usually created in the /wp-admin directory.
3. You perform primitive malware identification
WordPress SEO Spam malware is almost entirely dependent upon the host website to function properly. It executes itself every time a page refreshes or loads. It makes sure that WordPress functionalities are always up and running. In case the WordPress website breaks/crashes, the malicious code will not be executed. It also supports various factors where the attacker can remotely update and rectify the website if needed. The WordPress Spam cryptoware also establishes the backup files in case of aborted updates.
One of the other features of WordPress SEO Spam malware is the ability to identify and remove primitive malware present on the host WordPress website to avoid any suspicions from the website administrator. Following is a code snippet example of the WordPress Spam Malware eliminating competition:
if (is_file("$level" . "index.php")) {
$ind = file_get_contents("$level" . "index.php");
if (filesoze("$level" . "$index.pho"). 'hacked')
OR stripos(file_get_contents("$level" . "index.php"). 'hacked')
OR stripos($ind, 'WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited')
OR stripos($ind, 'form action="" method="post"></form')
OR stripos($ind, 'eval(gzuncompress(')
OR stripos($ind, 'WARN1NG_RC')) {
chmod("$level" . "index.php", 0777);
unlink("$level" . "index.php");
}
}
4. You notice your Google AdWords being disabled
Due to the widespread use of ads on the internet these days, they have become an easy way for hackers to direct users to compromised/malicious websites. This has forced advertisement networks such as Google AdWords to have stringent policy upgrades to avoid the spread of malware through hacked websites. Google AdWords regularly scans websites for hacked content & suspends ads running for hacked websites.
A few easily noticeable symptoms are warnings shown by Google on your AdWords being suspended. If you find any of these, you might be affected:
- Malicious or unwanted software. See what Google (here) itself has to say!
- Our system randomly and periodically scans the website and checks if the website complies with the Google policy. Therefore, recently your website was scanned and the most recent system scan detected that this advertiser’s primary declared landing page is affected by an unsafe domain [domain .com]
To have a clear understanding and how to fix disapproved Google AdWords, read our detailed blog post.
To cure your website of spam links, you need to do a thorough analysis of your files and databases. Here is how you can go about that:
5. Scan files for spam links
Search these files for spam links: theme headers, footers, or within the theme functions. Usually, the links are easily visible as hypertext links. However, in rare cases, they might be obfuscated too. Find the unknown, malicious links.
For instance, this is what a malicious link looks like:
<?phpNorebroLayout::get_footer_buffer_content( true );echo "<a href=\"http://www.authenticjetshockeyshop.com/mark-scheifele-jersey_c-422.html\"> </a> "; wp_footer();?>
Sometimes it is hard to tell if spam links have been inserted. In such a case, it is advised you scan your site with SEO Spam Scanner.
6. Scan the database
Another target for spam links insertion is the database. So, you would need to scan the database as well for spammy links. Often spam links are inserted into your web pages & posts. Now, reviewing all the pages manually can be too tedious a task. So, here is how you can do this:
- Access your database with PHPMyAdmin. PHPMyAdmin allows you to review multiple pages at a time.
- Review pages and posts.
- If you do find malicious links download the pages/posts locally and clean them.
- Next, upload it back with the help of a SQL management tool. This step might need some SQL expertise.
Fixing the WordPress SEO Spam Hack
By following the steps given below the WordPress SEO Spam Malware can be removed from the host website:
- Removing the malicious new files created by the malware as mentioned in the above sections.
- Checking your Google Webmasters account for any disparities, following our detailed guide to resolving them.
- Scanning your website for malware and other infections.
- Check which websites have outbound links to your site, from the Google Webmasters panel
How WordPress SEO Spam affects Your Website Traffic & SEO?
We know hacks leave your website in wrecks. Even after doing a proper hack removal, the intangible effects often last longer. Recovering your website from these after-effects takes a great deal of effort. The intangible effects include decreased website traffic, drop in Google rankings, hit on the brand reputation, dampened customer inflow, etc.Â
To measure how badly such hacks affect websites, we conducted a study. We monitored an infected website for days after the cleanup to see how they perform.
This is what we found:
The following analytics show website traffic for a year. Notice the drop in the traffic in later months.
This is the website’s data in August this year when it was not hacked. Total clicks are 20.3k, impressions 254k, Average CTR 8%, Average position 15.
We compared this to the data of the month it was hacked. See the dip in the following picture. Total clicks dropped to 11.8k, Impressions reduced to 207k, Average CTR was 5.7% and the position was pushed down to 16.6.
When we narrowed it down to the days the website was hacked, this is what we found. After few days, the average CTR dropped to 4.4% from the original 8%. Similarly, other aspects of the website also felt a dip.
It is quite clear that the consequences of SEO spam are huge. More so on your website’s traffic and SEO. Pulling a website of a hack after trauma takes constant effort prolonged for a period.
Obviously, you do not want to land in such a situation. Yes, you can totally avoid these scary-looking consequences by being a little vigilant for these attacks. The next segment will tell you how.
How to Protect Against WordPress SEO Spam Hack?
Cleaning your already infected site with WordPress SEO Spam hack doesn’t ensure that the infection will re-appear. Hence, taking preventative measures is always a good idea.
Here are some prevention steps you can enforce for protecting your site against WordPress SEO Spam:
1. Install a Firewall:
The most convenient option out there to prevent WordPress SEO Spam Malware infections is to use a Website Firewall, like Astra. A Website Firewall can help you monitor your incoming traffic and it automatically blocks threats and other malicious entities.
Astra Web Protection helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website.
2. Harden your WordPress Login Page security
Another security measure you can take for protecting your site from WordPress SEO Spam is to secure the login page of your WordPress site. It can also help you prevent WordPress Admin dashboard hack.
Here’s how you can do it:
- Install WordPress login page security plugin like WP-Hardening
- Change default URL of your WordPress Admin page
- Use unique and strong username and password credentials
- Limit consecutive login attempts
- Monitor login activity on your WordPress site.
With Astra Firewall you can enforce the Login Protection for your WordPress and see details of the person/bot who tried to log in to your site with the timestamp and some other information.
3. Set the Correct File and Folder Permissions
Setting correct access permissions to your files and folders not only helps you in preventing execution errors for your WordPress site but also it can help reduce security risks such as infection of WordPress SEO Spam malware.
You may apply following permissions to your WP Files and Folders:
- For wp-config.php = 400/440
- For all .php files = 644
- For index.php = 644/444
- For wp-content folder = 755
- For wp-includes folder = 755
- For wp-content/uploads folder = 755
- For all the files in general = 644
- For all folders in general = 755
For more info on this, check our blog: How to Fix WordPress File or Folder Permissions – Step by Step Procedure
