Spam Link Injection in WordPress is on the Rise

Recently, the Threat Intelligence team at Astra Security spotted an ongoing spam link injection campaign that is specifically targeting a large number of WordPress sites. The team has observed that the result of this spam link injection campaign is leaving thousands of WordPress sites badly infected with the SEO spam hack and the notorious website redirection hack. 

During our monthly threat hunting activity, our team has found that the unidentified hacker/hacking group who is carrying out this spam link injection campaign aims to promote the spammy sites by injecting a malicious script all over the site’s source code.

The infection further creates a hidden folder or sub-directory (for example – “/docs”, etc.) in a compromised WordPress site and also tries to create a number of spam pages and URLs that get indexed in the search engines. The image below is an example of how a hacked site is seen on the Google search results.

Unlike the Japanese keyword hack (see below image), this site link injection attack displays spam links in the English language in the search results which look like genuine URLs. Also, the number of such spam links created for a hacked site is exceptionally large and exceeds the number of links in the Japanese keywords hack – making it more difficult to detect and fix.

Over a couple of months, we’ve received queries from multiple customers saying that their website may be hacked and displaying spammy links in the search results affecting their existing content and SEO. 

One of our customers said, “Site have (sic) almost total 1300 pages for now. We are doing the same thing from last two months but results are increasing again and again.”

Another customer said, “there are some links that don’t belong to our website, no pages but only links.”

Here are some example spam URLs we found on a hacked WordPress site. The below spam URLs are found in the source code of the site. Here hackers have created a directory in database with name ‘docs’ & have created pages of porn, casinos, pharma products, herbal tea & other shopping sites.

https://yourwebsite.com/docs/0nnmi.php?1c36b9=adobe-xd-css-plugin
https://yourwebsite.com/docs/0nnmi.php?1c36b9=acura-electric-car
https://yourwebsite.com/docs/0nnmi.php?1c36b9=simone-biles-family
https://yourwebsite.com/docs/0nnmi.php?1c36b9=erick-avari-family
https://yourwebsite.com/docs/0nnmi.php?1c36b9=herbal-tea-flavors
https://yourwebsite.com/docs/0nnmi.php?1c36b9=the-rescue-full-movie
https://yourwebsite.com/docs/0nnmi.php?1c36b9=leegin-belts
https://yourwebsite.com/docs/0nnmi.php?1c36b9=kaduna-population
https://yourwebsite.com/docs/0nnmi.php?1c36b9=cimarron-herbicide

This leads us to the question – what exactly is this spam link injection, how it works, and the precautionary steps that you should take to prevent this attack. Here is your answer.

What Is a Spam Link Injection attack in WordPress?

A spam link injection attack is a type of cyberattack where hackers inject malicious code or scripts into a target website that leads to SEO hijacking, malicious redirects, and even email spam. Most of the time, hackers infect top-ranking pages of a legitimate site in order to promote or rank their own spammy site on SERPs (Search Engine Results Pages).

Here is how they do it:

• By creating thousands of new duplicate pages.
• By injecting links in existing pages of the targeted site. When a legitimate user clicks on any of these links they get redirected to another website (spammy site).
• By displaying ads or promotional material of their products on your legit site.

The spam link injection attack on WordPress is usually difficult to detect because hackers keep improvising hiding infection getting better with each attack. Further, it is very hard for an untrained eye to pin-point the exact location and malicious script in the site’s code. 

Therefore, if you’re seeing any of the above symptoms for your website, you should get professional help from security experts who can clean this infection for you quickly. 

At Astra, we regularly help website owners get rid of spam link injections from their website with guaranteed results. Check out our immediate WordPress malware removal plan here.

If, due to any constraint, you’re planning on doing the hack removal yourself, here’s how you can go about it.

How to check and fix the Spam Link Injection attack in WordPress?

If you are unsure about a spam link injection hack on your website, follow the below steps to confirm if  your WordPress has been hacked or not:

1. Scan your WordPress site with an SEO spam detector.
2. Check for spammy keywords in your Google Analytics or Google Search Console. If you find any irrelevant keywords such as “viagra”, “Nexium”, or “Cialis“ then your WP site may be a victim of a WordPress pharma hack.
3. Check if your site is Blacklisted by Google.
4. Check if your account has been suspended by your hosting provider.

If you are sure that your WordPress site is hacked with SEO spam, you must take immediate steps to remove this malware. You may follow this guide to effectively remove WordPress spam from search results. 

Related Guide – Step-By-Step WordPress Hack Removal

Note: If you are using Astra Security’s application firewall then your WordPress site is already protected from this attack and other cyber attacks and vulnerabilities like SQLi, XSS, CSRF, LFI, RFI, credit card hacks, spam, bad bots, etc. Further, to keep your website protected at all times, regular malware scanning is always a recommendation. Don’t let hackers level your years of effort in a second. Invest in a good security solution today.