SEO spam hacks are one of the fastest-growing hacks in the WordPress realm claiming countless victims every day. In 2018 alone, over 51% of site hacks were SEO Spams.

Once your website is hacked, the spam is craftily hidden from you and therefore, can go unnoticed for a long time before you realize it. But while you are blissfully unaware of the spam, it wreaks havoc for your website and its users. The longer it sits on your site, the worse matters become.

You need to find and remove the spam immediately. Post that, you’ll need to implement better security measures to make sure it never happens again.

We will tell you everything you need to know about SEO spam – what exactly happens, how to get rid of it, and how to prevent it.

TL;DR –
The tricky thing about SEO spam hacks is that they keep reappearing! If you need a permanent solution to be free from spam, we suggest you install our security plugin MalCare. It will run through every nook and corner of your website and clean up all traces of the spam hack. You’ll never have to worry about spam appearing on your site so long as you have MalCare protecting it.

What is SEO Spam?

Hackers gain entry using some vulnerability that’s present on your WordPress site, like a weak password or a security gap in an outdated plugin.

Once inside, they start doing things to hijack your SEO accomplishments (Search Engine Optimization). They find your top-ranking pages and insert their own hyperlinks and spam keywords.

Ranking on Google takes a lot of effort but with it comes great benefits. These hackers would rather let you do all the hard work of SEO and digital marketing, and then use your website to promote their product/service. This is why SEO spam is also known as spamdexing or search engine poisoning (SEP).

The hack is so popular because it can target WordPress websites of all sizes and not necessarily just the large ones. The most common victims are small websites, NGOs, and WordPress blogs, that are not secured by SSL certificates or do not have any security measures in place.

This hack is well-disguised and hidden away from plain-sight of the owner. Therefore, it is one of the most difficult ones to detect. You could be hacked for a long time without even knowing it.

Types of SEO Spam Hacks

Once a hacker breaks into your website, there’s a long list of malicious tactics they can use. An SEO spam hack is just one of them and can be used in combination with other types of hacks. We’ve listed out the most common tactics that we see take place when a website is facing a search engine spamming hack:

1. Spam Keyword Insertion

SEO Spammers want to rank for their products or services. They use what is called black-hat SEO techniques and stuff their keywords all over your site. It will mostly be invisible to you and your users. When someone searches for these keywords on Google, your website will rank.

2. Spam Link Injection

They insert external malicious links that will redirect visitors to a website of their choice. They can also use a tactic called clickjacking wherein they insert hidden links under regular clickable content, thus deceiving the user. Upon clicking it, they’ll be directed to another website – usually, one that sells/promotes illegal products and content.

3. Creating New Pages

Hackers can also take over your website by creating new web pages, sometimes even thousands of them. These pages are designed to manipulate search engines.

4. Spam Emails

If they have access to your customer database, they can start sending emails to promote their product. The email will be sent from your legitimate email address which customers will think is trustworthy. Only upon opening it will they be exposed to the hacker’s tricks.
Once customers start flagging your emails as spam, mail servers will mark you as spam. This is hard to recover from and you can lose valuable customers for good.

5. Displaying Banners and Ads

They can also hijack any banners, pop-ups, ads or CTAs (Calls to action) and replace it with a promotion for their products and content on your site.

How does an SEO Spam Hack Work?

In a hack like this, malicious code is injected into your website’s files. Next, to disguise it, the code is reversed and then stored. This is why a spam injection hack is so difficult to detect.

Next, there is something known as a PHP function that comes in, flips the code back to normal and then executes the hack. All this is done to hide the hack from you and to manipulate the search engine bots.

To you, your website will look and function just fine. But a Google bot or any other search engine bot will see what the hackers want them to see when they crawl and index your website.

The malicious code will inject keywords, links, and whatnot into your site. It can also change the title tag and meta descriptions of your pages and posts. This is how they get your website to rank for these keywords in search engine result pages.

What happens to your website in an SEO spam hack?

To explain what happens to your website when it’s under a spam attack, we’ve taken a real-life example to illustrate.

In this case, the hacker wants to sell illegal or banned pharmaceutical products online such as Viagra and Cialis through a website called ‘Canada Drugs’.

They’ve inserted the keywords ‘Viagra and Cialis’ into the top-ranking pages of websites they hacked. This is referred to as black-hat SEO techniques also known as pharma hack, when someone wants to buy these drugs online, these websites ranked.

We typed in “buy Viagra Cialis online” in Google’s search bar and these were the results we got.

 

spam link injection WordPress

 

The websites that ranked for this keyword were not pharmaceutical ones but rather:

  1. The ‘About’ page of an eco-friendly company
  2. The ‘tariff details’ page of a French music festival’s website
  3. The beverage page of the menu of a Mexican restaurant

Do you see how random that is? They target any site that’s easy to attack.

Now, we mentioned earlier that it is one of the most difficult ones to detect. This is because it’s done in such a way to hide it from you and allow only search engine bots to see it.

When we accessed the first website directly by typing the domain name in the address bar, the pages looked normal.

 

WordPress spam link injection

 

But if we searched for it on Google and then clicked on the link to this site, it displayed the spam page that promotes the hacker’s pharma website ‘Canada Drugs’.

 

spam link injection website

 

This is why the hack goes undetected for a long time as the owner can’t see it normally.

Why did my WordPress site get infected with SEO Spam?

There are two big questions to address: Why was my WordPress website a target? And how did a hacker manage to get into my website?

Why was my website a target of SEO Spam?

These hacks are rarely targeted at a particular WordPress site. Gone are the days of hackers manually breaking into individual sites. They create bad bots that are constantly crawling the internet to find and hack any website that’s weak.

So the size of your website or the popularity of it is insignificant. These bots run through all sites, once they find an entry point into yours, they come in and insert their scripts.

How did a spam hacker manage to get into my website?

WordPress is an extremely secure platform to build your website on. However, like all software, it is also prone to vulnerabilities.

Let’s take a look at the most common ways hackers get inside:

1. Outdated WordPress Version

According to a report by Sucuri, 36% of WordPress websites that were hacked in 2018 were running on an outdated installation.

This means that when security issues were discovered, the WordPress team fixed them and rolled out an updated version of their software.

If you chose to run your website on the old version and ignored the update, then you left the security loophole open to hackers.

Always keep your WordPress up to date, especially if a security patch is released.

2. Vulnerable Plugins and Themes

While themes and plugins add functionality, it can also negatively affect your website.

Vulnerabilities can sometimes be introduced by themes and plugins that don’t have proper security measures in place. This is because the third-party developers that create them are not always savvy with what security measures they need to implement.

Another cause of hacks is when users turn to pirated versions of premium plugins and themes. It may be an easy way to get all the features for free, but such nulled software usually has malware pre-loaded.

By installing it on your website, you’ll enable hackers to access your website. They can begin to inject spam and links, display content they want, and create WordPress backdoors. These backdoors are entry points that allow them to access your website whenever they please.

This is why even if you find and delete the malicious code in your files and database, the backdoor allows them to keep hacking your website. Therefore, the spam can keep reappearing.

You can take measures to avoid such plugins/themes by using premium versions, checking when it was last updated, how many active installations it has, and also check out their website to see if they are trustworthy.

 

website spam link injection

 

Many times, WordPress websites are created by web designers. In these cases, you need to ensure they use trusted themes/plugins from the WordPress repository or marketplaces like ThemeForest and CodeCanyon.

3. Weak username and password

Another automated WordPress hacking technique used is brute force attacks. In this, bots try various combinations of usernames and passwords a number of times.

If you do not have a limit on the number of login attempts, they can keep trying till they figure it out. Since it’s automated, these bots can try millions of combinations in no time. This is why it’s not advisable to use passwords like ‘password’ and ‘password123’ which is easy to guess.

You should use unique usernames and passwords because it adds a layer of security. Phrases in combination with numerals and symbols are ideal. An example of a strong username and password would be:

  • Username – thisis!anadmin1@3$
  • Password – Can’t!guessmypassword890$

Now that we have a clear understanding of what this is, why it happens and how they carry it out, we can get down to finding the hack.

Is Your Site Infected With SEO Malware?

To determine whether your website is actually hacked or not, there are a number of ways you can do this:

Google safe browsing status

Check Google’s Transparency Report. Enter your site’s URL and it will tell you if your website is safe to browse or if it contains harmful content. This is not always accurate in the case of SEO spamming hacks because the hack is designed to fool the website owner and trick Google bots.

 

 

Google Search Console

For any website, Google Search Console and Google Analytics is a must-have! Access Search Console and scroll down to ‘Security & Manual Actions’. Click on ‘Security Issues’ to see if it shows you any red flags.

 

 

If you notice a sudden dip in pages you normally have a high conversion rate, there may be URL redirections present that’s stealing your traffic.

You can also check the overall performance of your website in Google Search Console. Here, you can see the types of queries for which your website is getting traffic. In the example below, we can see that ranking keywords include ‘buy designer bags cheap online’ and ‘cheap Gucci bags’. This is indicative that you’ve been spam hacked.

 

 

Google Search in Incognito mode

Since the hack isn’t visible to you, one way to see it is to visit your website through Google using incognito mode. Here we searched for a site we know is hacked. The third result clearly shows the pharma hack for Cialis and Tadafil.

 

 

Switch your agent-user

You can install an extension such as ‘User Agent Switcher’. Here, you can switch to ‘Google bot’ to see what your website looks like when Google bots crawl your site. You might be able to spot the hack.

Be sure to switch it off once you’re done using it.

Online Tools

There are free tools available online that enable you to check if you have malware present on your site. These tools include VirusTotal, Aw-snap, and Spamhaus. Unfortunately, they aren’t 100% accurate. These tools rely on outdated methods of finding malware and more often than not, they may tell you your site is hacked when it’s not, and tell you it’s not hacked when it really is!

But SEO Spam is a serious issue and there is a long list of consequences of a hacked website which is why we don’t recommend these tools.

Contact your host

Your web host runs regular security checks on all their websites. You can contact your web hosting company to check if they have detected any malicious activity on your site. They may be able to help you locate the hack.

Use a Malware Scanner

This is the most efficient way to check if your site has any malware present. These malware scanners are automated and can find malware for you quickly. However, not all plugins provide the same level of efficiency. A security plugin like MalCare has an intelligent scanner that has the ability to find every kind of malware. Once installed, it will comb through your files and database, and if there is spam – even if it’s hidden or disguised – it will detect it.

These are the ways in which you can check to see if you’ve been hacked. However, there are other ways website owners are alerted that their site is hacked:

    • Google will blacklist your website if it detects malware present.
    • Your web host may suspend your account immediately and take your site offline.
    • You see a new admin user created that you don’t recognize in your wp-admin.
    • You may see a plugin installed that you are sure you didn’t put there.
    • If you’re lucky, a customer who has seen the hack may bring it to your attention.
    • You may experience a drastic dip in your site speed and performance.
    • You may see a random influx or dip in traffic.

Once you know you’re hacked, we need to find the spam and get rid of it. Most website owners or their teams put in a lot of effort into content marketing, social media marketing, and digital marketing. Every single one of those efforts can be stolen when under a spam hack. So let’s get to cleaning up the hack immediately to get back what you’ve worked hard for.

How to remove SEO Spam from your website

To get rid of the web spam, you can try detecting it manually and deleting it. However, we stress on this again – SEO spamming hacks are disguised and hidden from you.

Important note: Finding and deleting malicious code isn’t sufficient. You need to fix the vulnerability that allowed the hack to happen. You also need to find and remove backdoors the hacker may have created.

Using a reliable security plugin such as MalCare is highly recommended. This is because the plugin will comb through all your files and folders, analyze suspicious code and activity, and identify hacks. So even if it’s hiding in the deepest nook or disguised in plain sight, you can be sure it will be found. After that, you’ll simply need to click a button to clean up your site.

Remove SEO Spam With MalCare

To use MalCare, simply install the security plugin and follow the steps below:

    • On your wp-admin dashboard, the plugin appears independently on the left panel of wp-admin. Select ‘Malware scan’ and click on ‘Scan site’.

 

 

    • Next, the plugin will take you to the MalCare dashboard where it will automatically scan your site. You get one free scan with this plugin.
    • You’ll be notified if your website is hacked. To clean up your site, you’ll need to purchase a plan. This is because malware cleaning is a complex process. All plugins will charge a nominal fee for this service.

 

 

    • Once you upgrade, you simply need to click on ‘Auto-clean’. The plugin will do its job and make your site malware-free and hack-free.

After this, there are preventive measures you need to take immediately to stay clean and be protected from future attacks. We recommend you carry out the following steps.

  1. Update your WordPress installation, themes, and plugins. Always make sure you’re running on the latest version.
  2. Delete any inactive themes and plugins on your site. Get rid of any pirated or nulled ones you may have installed.
  3. Apply WordPress website hardening measures such as limiting login attempts, blocking php execution in certain folders, changing passwords and security keys.

Conclusion: No More Spam!

If you own a WordPress website, you need to take measures to protect yourself. Period. Your website resides in a world where danger lurks in every corner in different forms and can strike at any time, with or without your knowledge.

We strongly recommend you keep an effective WordPress security plugin such as MalCare active on your site. Apart from regular automatic scans, your site will also have a firewall to block spam, malicious bots and hackers.

Be hack-free and stay that way!