How to Find and Remove Spam Link Injection in WordPress?

One of the more troubling WordPress attacks is the spam link injection.

It not only shows up on your site, but also in your Google search results.

We’ve seen 100s of cases, where someone has contacted us saying a visitor told them about it.

Awful stuff.

If you’re seeing:

Scan your website for malware to find the injected spam.

Also, don’t worry.

We will help you get rid of the spam link injection hack in WordPress and restore your website to its former glory. 

TL;DR: Scan your site with MalCare to find spam links and posts instantly. A spam link injection inserts a lot of nasty stuff into your WordPress site, especially the database. Most scanners won’t even find it, that’s why we recommend MalCare. Once you’ve found the malware, MalCare will remove it with a single click.

Understanding the WordPress spam link injection attack 

Spam link injections in WordPress are a common hack using your website to redirect visitors to spam websites. 

Hackers fill your site with backlinks to spam websites using malware. Often these websites sell grey market, unsavoury, counterfeit, or downright illegal products.

You may find these links in posts or even cleverly hidden in the headers of pages. Alternatively, they could have created entire web pages on your domain that redirect to their websites. 

Step 1: Does your website show signs of a spam link injection attack?

There are definite signs your site has a spam injection hack on it, but chances are you won’t be the first person to see them.

This is because hackers want malware to remain undetected for as long as possible. Know how to thwart them? Get a daily malware scanner.

💡 Hackers cleverly insert malware so that it is undetectable by admin users. Use an incognito browser or another machine to visit your website. Make sure you aren’t logged in. You may find web pages that you didn’t create. If you see pop ups and spam links on your website, you know you’ve been hacked.

Step 2: Scan your site for malware

The next step is to get a sense of the extent of the hack. For that, you need to scan the files and folders of your site.

The quickest way to determine if your website has spam links: scan your website.

Be careful though. Some scanners are notorious for false positives during scanning, or they don’t find malware at all. Choose wisely.

Step 3: Remove the spam link injection from WordPress [SAFELY]

Once you’ve got confirmation, there are 3 ways you can remove the spam link injection from your WordPress website: 

1. Use a WordPress security plugin to clean the infection [Recommended]
2. Contact a WordPress maintenance service
3. Remove the infected files manually

We strongly recommend that you choose a security plugin to remove spam links from WordPress. It is the only method that is instant. Manual cleaning is very difficult, and WordPress maintenance services are very expensive. 

Option 1. Use a WordPress security plugin to clean the infection instantly [RECOMMENDED]

When your website is hacked, time is of the essence. Install MalCare to instantly remove malware. 

This is the easiest and most efficient way to rid your website of a hack. MalCare will not only detect the malware, but also remove it surgically, without affecting the core files of your website. Therefore, the files that you require stay put and functional. 

Note: Not all security plugins will be able to do this. One-click malware removal is a feature of MalCare, and is based on an intelligent malware detection system. 

Option 2. Contact a WordPress maintenance service

If your website has been hacked and now offline, you might be unable to install a security plugin for cleaning. Don’t panic: our emergency malware removal service can help you fix your hacked WordPress site.

You’ll get guidance from a security specialist to talk to your web host for whitelisting IPs and regaining access, and then to install the cleaning plugin.

If your web host won’t whitelist IPs due to their rules, the expert will use SFTP to quickly cleanse your website of malicious code.

You might consider hiring a WordPress maintenance service, but remember, they can be costly and may not guarantee preventing future infections. Some security plugins charge for every cleanup, which can add up if infections keep happening.

Option 3. Remove the spam link injection hack manually

It is of course possible to remove malware manually, however there are several downsides to doing so. Before we take you through the steps to rid your website of its hack, we want to quickly signpost the dangers of manual malware removal. 

Right, now that we have gotten the caveats out of the way, let’s look at how to remove malware manually from your website.

1. Take a backup of your website

Before you do anything else, take a backup of your WordPress website. Even though it currently has an infection, it is still a working website. This way, even if you go wrong and render your code unusable, you can at least get it back to this working stage. 

A backup would be helpful, because a hacked website can be fixed by experts, but websites with key files missing are very difficult to resurrect, and will cost you a great deal more. 

2. Scrutinise the website for unusual files

Log into your FTP client, and look carefully at the list of files and folders. Are there any files (often PHP files) that aren’t meant to be there? They may look innocuous, but sometimes hidden vulnerabilities like PHP object injection are embedded in these files, enabling hackers to manipulate your site remotely.opening them up may yield some clues. 

Hacks are often written in unreadable or gibberish code. This is obfuscated code, and is meant to be difficult to understand. Since you have a backup, you can afford to delete these gibberish functions to remove the malware. 

Additionally, check your posts and pages in the wp-content folder. Spam link codes are usually hidden in the header section of those pages, and are coded in a way that they are invisible on your website, such as: <div style=”position: absolute; top: -132px; overflow: auto; width:1259px;”>

If your website is large, this step can take a great deal of time. However, ensure that you are thorough when searching for these malicious scripts, because leaving anything in can lead to reinfection. We’ve written a comprehensive guide to dealing with hacked WordPress sites, but we still recommend using a security plugin.

3. Flush the cache

Once you’ve deleted all the malicious scripts, flush the WordPress cache so the cleaned files load correctly.

4. Reinstall WordPress

Download a fresh install of the same version of WordPress that is currently installed from the repository. You can replace everything on your website barring the wp-config file (which has your database info) and the wp-content folder (which contains your plugin and theme information). 

Replacing your WordPress installation will mean that you are eliminating the possibility of malware in your core files. 

5. Reinstall your themes and plugins

Assuming that you are using legitimate versions of your themes and plugins, and have downloaded them from secure sources, you can assume that a vulnerability in one of them will be fixed with an update. 

It is worth spending a little time researching news to check if any of the plugins you have installed have recently experienced a breach. Ideally, reputable developers will release a security fix in the form of an update. If this is not the case, opt for an alternative that is actively maintained instead. This will stand you in good stead in the long term. 

6. Clean your WordPress database

Unfortunately, infected files in a WordPress database are very difficult to remove, because you need to look for PHP functions and spammy links contained within the tables and data. While spammy links may be easy to spot, PHP functions can be pieces of necessary code. 

If you choose to go this route, download the database and look for functions, such as eval, gzinflate, shell_exec, and base64_decode.

Alternatively, if you back up your website regularly (as you should), you can use the database from a previous version that you are absolutely sure doesn’t have any malware. Obviously, this method is not foolproof, and you may just remove a significant portion of changes and updates you have made since, and still have to contend with malicious code.

Step 4: Prevent future link injection attacks

Your WordPress website got hacked because it has a vulnerability issue or at least one of your passwords was compromised. Now that you have cleaned the spam link injection hack one way or another, you need to take steps to ensure it doesn’t happen again. 

We often hear from people that they had security scanners and plugins installed, and still got hacked. It is important to remember that security plugins are not 100% proof against hacks, which is why most plugins have a manual cleanup service as well. 

MalCare, for instance, has bundled unlimited manual cleanups with the plugin subscription. Anything you cannot remove with one click, a team of professional security experts will remove for you quickly and efficiently. 

The advantage of having a security plugin is that it will protect your website pretty well by neutralising most of the attacks. For those that do get through, the causes are usually vulnerable plugins and/or compromised passwords.

Step 5: Recover from an injection attack

After clearing malware from your website, next step is repairing the harm caused by the hacks. Two key players in this process are your web host and Google.

Getting back your website access

Contact your web host after cleaning, and request them to re-check your website. Share with them the steps you took to fix the issue. Usually, this will get your website back online.

Removing your site from Google’s blacklist

If your website is blacklisted by Google, you need to request a review. Go to your Google Search Console, click on Security Issues and you’ll see an alert for dangerous content stating which files contain it.

At the end of this alert, there’s a button to request a review. You have to assure that you’ve solved the issues, and explain in detail the steps you took for each issue.

Submit the request and you’ll know the result in few days.

Managing brand damage

This is optional advice. Hacks can damage your brand’s reputation. It helps to publicly admit what happened, the steps you took to fix it, and your future preventive measures.

Honesty can help rebuild trust and sometimes, properly managed hack incidents have even boosted brand value.

Impact of spam link injection attack

A hacked website is a nightmare for a website owner. Not only is your website affected, but your visitors are at risk of having their data and identity compromised. The website takes an SEO and therefore a financial hit, especially if you have a web store, or earn money with your website. 

You have spent resources on getting your website to where it is. That can all be wiped away very quickly by a hack. It is critical to act fast when your website is hacked, because the damage increases exponentially with time. 

Conclusion

We hope that this article was helpful in removing the WordPress spam link injection from your website. Hack removal is only one of the pillars of website security. It is worth spending some time setting up a strategy to safeguard your website from future incidents. 

FAQs

How to remove and prevent WordPress spam links in posts? 

The quickest and easiest way to remove spam links from WordPress posts is to use a security plugin. It will check your WordPress files and folders, in addition to your website’s database rapidly. Then, it will remove all traces of malware instantly.

How to find WordPress pages affected by URL injection attack? 

Use a malware scanner and cleaner to detect and remove spam from WordPress web pages. 

Spam links and malicious code can be hidden very cleverly by hackers in the files and folders of your website, and sometimes in your website database as well. 

If your website has lots of web pages and perhaps a large database of content, manually sifting through each one’s code will be a huge undertaking and you will be prone to missing things. It is best to get a scanner to do the heavy lifting, and surgically remove the malware for you. 

What is the impact of spam links on my WordPress website? 

Spam links on a website are heavily penalized by Google, so you are essentially not just looking at a hacked website, but all the attendant hassles of one. Your visitors will not have a safe browsing experience. You will lose SEO ranking, and therefore your traffic will take a hit. If your website is a source of income for you or your business, all that will be affected negatively too. 

As with any hack, time is of the essence when it comes to removing it. The impact becomes exponentially worse the longer a hack is left unaddressed. 

What is spam link injection in WordPress?

Spam link injection in WordPress is a malware attack where your legitimate, good quality website is used to bump up the SEO ranking of a website selling grey market or illegal products or services (read: WordPress pharma hack). 

Hackers accomplish this attack by exploiting a vulnerability on your website, and inserting spam links into your pages. These spam links are often invisible to you, as they make use of CSS tricks not to show up on your website directly. However, when Google’s bots crawl your website, they will find these links. 

Often, search results for your website will show up URLs that you have not created. On clicking them, you will be redirected to the spammy website. 

As will any hack, this one should be addressed as soon as possible. Because of its nature, spam links are tricky to find on web pages, and it is always better to use a scanner and an automatic cleaner to get rid of the hack. 

How to remove and prevent spam links in posts?

To remove spam links, start by identifying them in your posts. Check your comments and content for suspicious links. Once found, remove these links manually. To prevent future spam, install a reliable WordPress security plugin. This stops spam bots and trains your system to recognise unwanted content. Regularly update your WordPress version and plugins to keep the defences strong.

How to recover from a WordPress JavaScript injection attack?

First, identify and remove the malicious code. This might involve checking files for unfamiliar scripts. Next, use a malware removal plugin to clean your site. Ensure that WordPress, plugins, and themes are all updated. Finally, change all passwords and consider using a web application firewall for added protection.