How to Find and Remove Spam Link Injection in WordPress?


spam link injection wordpress

If one of your website visitors reports seeing spam links on your website, there is a good chance your WordPress website has been attacked.

Scan your website for malware, and remove the spam and injected malware in one click.

Some typical symptoms of WordPress spam link injection are: 

  • Spam links on your website; usually of illegal or grey market products
  • New pages that you haven’t created
  • Weird meta descriptions when your website appears in search

It is a common hack piggybacking on your website to redirect traffic and boost the SEO of spam websites. 

Don’t worry, all is not lost. We will help you get rid of the spam link injection hack in WordPress and restore your website to its former pristine glory. 

TL;DR: Remove the spam links and posts from your site with MalCare. MalCare is a best-in-class WordPress security plugin that will scan every inch of your site for malware, remove it without affecting your content, and then protect your site from future spam link injection attacks with a powerful firewall.

What is spam link injection in WordPress? 

Spam link injections in WordPress are a type of hack that creates backlinks to spam websites using malware on your site. Often these websites are for articles or services that are grey market or illegal.

Essentially, a hacker has inserted spam links from your web pages to their spammy website. You may find these links in posts or even cleverly hidden in the headers of pages. Alternatively, they could have created entire web pages on your domain that redirect to their websites. 

Another, more insidious flavour of the spam link injection hack resides in your database. This infection, also known as a URL injection, is particularly hard to shift, and requires quite a bit of development expertise to remove successfully. 

In this article, we are going to show you how to diagnose a spam link injection hack on your WordPress website, and how to remove spam links from WordPress

The easiest method is to use MalCare’s free malware scanner to assess the extent of the infection, and then clean it automatically in 1 click.

What are the symptoms of a spam link injection hack?

The trouble with this hack—and most other ones—is that the website owner is usually the last to find out about it. Understandably, hackers and their illegal activities thrive most when malware remains undetected for as long as possible. 

Therefore, if you suspect you’ve gotten a spam link injection hack, you could’ve found out in one of these ways: 

Spam links on your website

Spam links and pages are typically hidden from the website administrators by clever hackers, in order to avoid detection and removal. So chances are a visitor spotted strange, unrelated links on your website and brought it to your attention. 

This is the very worst way to find out, in our opinion, considering this visitor came to your website for legitimate reasons. 

URL injection on Google Search Console 

If you logged into Google Search Console for any reason, and came across an unexpected alert. A spam link injection hack presents as “URL Injection” on the search console, and Google helpfully lists out some of the sample spam URLs on your domain alongside.

Try opening one of the sample URLs from the list. Even though the page is ostensibly on your domain, it will redirect to a spam website without fully loading the page. 

Web host suspended your account

There are a few reasons why a web host would suspend your account and website. Good web hosts usually also send an email with details of suspension.  

Hacks are just one of the reasons, albeit the most serious reason. Web hosts take hacked websites very seriously, as it causes them a significant amount of grief to have a hacked website on their server. Therefore, they regularly scan websites for hacks.

How to scan for a spam link injection hack? 

If you suspect a hack, or are alerted to the possibility of one, you can confirm whether your website is hacked or not by scanning your website

This is the quickest way to determine if your website has the spam link injection hack. Scan your website right now, to get a sense of the extent of the hack. Then, proceed to use the cleaner to remove malware in a single click.

The scanning and removal process happens on the plugin servers, so your server resources are not used. This is a significant advantage, as hacked websites tend to pull a lot of resources to begin with, and this can cause issues with your web host, too. You do not need the additional hassle at this crucial juncture. 

How do I check if my website has a spam link injection hack?

Some WordPress security plugins are notorious for false positives during scanning, unlike MalCare. You may want to reconfirm that your website does indeed have a spam link injection hack. Here are ways you can check: 

Google your website 

When your website appears in the SERPs, you might expect to see the metadata that you have set up. However, a hacked website will often show gibberish in the meta description, or you will see unrelated pages that you have not created show up on the search results. A common result of a URL injection attack is the pharma hack, or the Japanese keyword hack.

Blacklisted by Google

On clicking the search result, you might see a Google blacklist warning. This is when Google has detected your WordPress site has been hacked, although it won’t clarify what type of hack has occurred. 

Alternatively, if your website has not progressed to that stage as yet, you may see a “This site may be hacked” warning in the search results itself. 

this site may be hacked warning due to WordPress spam link injection attack

Use an incognito browser to visit your website

Hackers can cleverly insert malware so that it is undetectable by logged in admin users. Use an incognito browser or another machine to visit your website. Make sure you aren’t logged in. If you see pop ups and spam links on your website, you know you’ve been hacked. 

Similarly, you may also find web pages that you didn’t create. 

Check your website code for anomalies

This is a slightly more advanced method to check for a hack. Navigate to a post or page, and use Inspect Element on your browser. In the header section, there may be code that contains links, either in cleartext or obfuscated. You may see spam URLs clearly legible.

Check Google Analytics for malicious keywords

Your traffic should be coming in from relevant keywords. If you see that you’re getting traffic for keywords like “buy viagra online”, or “cheap gucci bags”, or spammy keywords, you can be sure your website has been hacked.

ranking for spammy keywords shown in google search console performance results

All this may seem daunting and worrisome. However, don’t worry! Hacks are easy to clean with the right tools. The important thing is to stay calm and read on.

There are 3 ways you can remove the spam link injection from your WordPress website: 

  1. Use a WordPress security plugin to clean the infection
  2. Contact a WordPress maintenance service
  3. Remove the infected files manually

As you can imagine, we strongly recommend that you use a security plugin to remove spam links from WordPress. We will outline steps for manual cleaning as well, however please note that it should only be attempted if you are very familiar with WordPress files and its database, and can confidently navigate code. 

When your website is hacked, time is of the essence. Install MalCare to instantly remove the spam link injection hack. 

This is the easiest and most efficient way to rid your website of a hack. A good security plugin will not only detect the malware, but also remove it surgically, without affecting the core files of your website. Therefore, the files that you require stay put and functional. 

Note: Not all security plugins will be able to do this. Auto clean is a feature of MalCare, and is based on an intelligent malware detection system. 

Confirm if you site got affected with spam link injection hack using MalCare Scanner

The real advantage of a security plugin is that it ensures that you avoid reinfection. We will cover that in a subsequent section.

2. Contact a WordPress maintenance service

If your website has been hacked and now offline, you might be unable to install a security plugin for cleaning. Don’t panic: our emergency malware removal service can help you fix your hacked WordPress site.

You’ll get guidance from a security specialist to talk to your web host for whitelisting IPs and regaining access, and then to install the cleaning plugin.

If your web host won’t whitelist IPs due to their rules, the expert will use SFTP to quickly cleanse your website of malicious code.

You might consider hiring a WordPress security expert outside of MalCare, but remember, they can be costly and may not guarantee preventing future infections. Some security plugins charge for every cleanup, which can add up if infections keep happening.

It is of course possible to remove malware manually, however there are several downsides to doing so. Before we take you through the steps to rid your website of its hack, we want to quickly signpost the dangers of manual malware removal. 

  • Cleverly concealed malware: Hacks are most successful when they remain undetected for as long as possible. Therefore, malware is usually hidden carefully in files and folders, and are not immediately detectable
  • There may be backdoors: Hackers will leave means for them to regain access to your website in case the current hack is removed. These backdoors are very well hidden, and you will see your website getting repeatedly hacked because of them. 
  • You have to remove the root cause of the malware: Why did your website get hacked in the first place? Was it a vulnerability, or perhaps a compromised password? Unless this cause is addressed, reinfections will occur. 
  • You can inadvertently remove legitimate code: The chances of this are relatively slim, but assuming your website has a few plugins, it is sometimes difficult to distinguish between actual code and malware. Deleting good code will break your site.

Right, now that we have gotten the caveats out of the way, let’s look at how to remove malware manually from your website.

1. Take a backup of your website

Before you do anything else, take a backup of your WordPress website. Even though it currently has an infection, it is still a working website. This way, even if you go wrong and render your code unusable, you can at least get it back to this working stage. 

A backup would be helpful, because a hacked website can be fixed by experts, but websites with key files missing are very difficult to resurrect, and will cost you a great deal more. 

2. Scrutinise the website for unusual files

Log into your FTP client, and look carefully at the list of files and folders. Are there any files (often PHP files) that aren’t meant to be there? They may look innocuous, however opening them up may yield some clues. 

Hacks are often written in unreadable or gibberish code. This is obfuscated code, and is meant to be difficult to understand. Since you have a backup, you can afford to delete these gibberish functions to remove the malware. 

Additionally, check your posts and pages in the wp-content folder. Spam link codes are usually hidden in the header section of those pages, and are coded in a way that they are invisible on your website, such as:

<div style=”position: absolute; top: -132px; overflow: auto; width:1259px;”>

If your website is large, this step can take a great deal of time. However, ensure that you are thorough when searching for these malicious scripts, because leaving anything in can lead to reinfection. We’ve written a comprehensive guide to dealing with hacked WordPress sites, but we still recommend using a security plugin.

3. Flush the cache

Once you’ve deleted all the malicious scripts, flush the WordPress cache so the cleaned files load correctly.

4. Reinstall WordPress

Download a fresh install of the same version of WordPress that is currently installed from the repository. You can replace everything on your website barring the wp-config file (which has your database info) and the wp-content folder (which contains your plugin and theme information). 

Replacing your WordPress installation will mean that you are eliminating the possibility of malware in your core files. 

5. Reinstall your themes and plugins

Assuming that you are using legitimate versions of your themes and plugins, and have downloaded them from secure sources, you can assume that a vulnerability in one of them will be fixed with an update. 

It is worth spending a little time researching news to check if any of the plugins you have installed have recently experienced a breach. Ideally, reputable developers will release a security fix in the form of an update. If this is not the case, opt for an alternative that is actively maintained instead. This will stand you in good stead in the long term. 

6. Clean your WordPress database

Unfortunately, infected files in a WordPress database are very difficult to remove, because you need to look for PHP functions and spammy links contained within the tables and data. While spammy links may be easy to spot, PHP functions can be pieces of necessary code. 

If you choose to go this route, download the database and look for functions, such as eval, gzinflate, shell_exec, and base64_decode.

Alternatively, if you back up your website regularly (as you should), you can use the database from a previous version that you are absolutely sure doesn’t have any malware. Obviously, this method is not foolproof, and you may just remove a significant portion of changes and updates you have made since, and still have to contend with malicious code.

How to prevent WordPress spam link injection attack?

Your WordPress website got hacked because it has a vulnerability issue or at least one of your passwords was compromised. Now that you have cleaned the spam link injection hack one way or another, you need to take steps to ensure it doesn’t happen again. 

  • Install a WordPress firewall: A firewall is the best defence against attacks, even if your site has vulnerabilities. Firewalls prevent attack requests from reaching your site, by filtering them out.
  • Update everything: That includes WordPress, themes and plugins. We keep reiterating this advice, because it really is that critical for your website security. New versions contain security patches that address vulnerabilities in older versions.
  • Get rid of nulled software: Free software can have titanic costs in the long term. It is not worth the initial benefit of not having to pay for a plugin. Later on, when vulnerabilities are discovered in it, the costs of attacks are far higher than any amount you would have saved by installing them.
  • Check for backdoors: A backdoor allows the hacker to regain access to your cleaned site, especially if you have manually cleaned out the malware. It takes security expertise to find and remove backdoors effectively, as they are usually hidden quite well. Hackers may also have created admin accounts, so it is worth going through authorised accounts to reconfirm if they belong to users.
  • Change all passwords: Ideally, you would be using different passwords on different websites. After cleaning your website, change all the access passwords. Additionally, change the WordPress database password. This puts up an additional barrier to being re-hacked. Also, if your password was compromised, changing it will effectively plug the security loophole that allowed the hack to occur in the first place. 
  • Harden your site: There are a few ways you can tighten the bolts of your site’s security. Collectively, these ways are called WordPress hardening, and can be a good way to safeguard your site from future attacks.

We often hear from people that they had security scanners and plugins installed, and still got hacked. It is important to remember that security plugins are not 100% proof against hacks, which is why most plugins have a manual cleanup service as well. 

MalCare, for instance, has bundled unlimited manual cleanups with the plugin subscription. Anything you cannot remove with one click, a team of professional security experts will remove for you quickly and efficiently. 

The advantage of having a security plugin is that it will protect your website pretty well by neutralising most of the attacks. For those that do get through, the causes are usually vulnerable plugins and/or compromised passwords.

How to recover from a spam link injection attack?

After clearing malware from your website, next step is repairing the harm caused by the hacks. Two key players in this process are your web host and Google.

Getting back your website access

Contact your web host after cleaning, and request them to re-check your website. Share with them the steps you took to fix the issue. Usually, this will get your website back online.

Removing your site from Google’s blacklist

If your website is blacklisted by Google, you need to request a review. Go to your Google Search Console, click on Security Issues and you’ll see an alert for dangerous content stating which files contain it.

At the end of this alert, there’s a button to request a review. You have to assure that you’ve solved the issues, and explain in detail the steps you took for each issue.

Submit the request and you’ll know the result in few days.

Managing brand damage

This is optional advice. Hacks can damage your brand’s reputation. It helps to publicly admit what happened, the steps you took to fix it, and your future preventive measures.

Honesty can help rebuild trust and sometimes, properly managed hack incidents have even boosted brand value.

What is the impact of spam link injection attack? 

A hacked website is a nightmare for a website owner. Not only is your website affected, but your visitors are at risk of having their data and identity compromised. The website takes an SEO and therefore a financial hit, especially if you have a web store, or earn money with your website. 

You have spent resources on getting your website to where it is. That can all be wiped away very quickly by a hack. It is critical to act fast when your website is hacked, because the damage increases exponentially with time. 


We hope that this article was helpful in removing the WordPress spam link injection from your website. Hack removal is only one of the pillars of website security. It is worth spending some time setting up a strategy to safeguard your website from future incidents. 


How to remove and prevent WordPress spam links in posts? 

The quickest and easiest way to remove spam links from WordPress posts is to use a malware scanner and cleaner. A scanner can check your WordPress files and folders, in addition to your website’s database rapidly. 

Spam links are a symptom of a malware attack known as spam link injection. The hacker inserts links to their spammy websites for dubious products and services in your website, in order to boost their SEO reputation. The links are often invisible on the website, and are hidden via CSS tricks in the website code. 

Related resource: remove seo spam from WordPress

How to find WordPress pages affected by URL injection attack? 

Use a malware scanner and cleaner to detect and remove spam from WordPress web pages. 

Spam links and malicious code can be hidden very cleverly by hackers in the files and folders of your website, and sometimes in your website database as well. 

If your website has lots of web pages and perhaps a large database of content, manually sifting through each one’s code will be a huge undertaking and you will be prone to missing things. It is best to get a scanner to do the heavy lifting, and surgically remove the malware for you. 

What is the impact of spam links on my WordPress website? 

Spam links on a website are heavily penalized by Google, so you are essentially not just looking at a hacked website, but all the attendant hassles of one. Your visitors will not have a safe browsing experience. You will lose SEO ranking, and therefore your traffic will take a hit. If your website is a source of income for you or your business, all that will be affected negatively too. 

As with any hack, time is of the essence when it comes to removing it. The impact becomes exponentially worse the longer a hack is left unaddressed. 

What is spam link injection in WordPress?

Spam link injection in WordPress is a malware attack where your legitimate, good quality website is used to bump up the SEO ranking of a website selling grey market or illegal products or services (read: WordPress pharma hack). 

Hackers accomplish this attack by exploiting a vulnerability on your website, and inserting spam links into your pages. These spam links are often invisible to you, as they make use of CSS tricks not to show up on your website directly. However, when Google’s bots crawl your website, they will find these links. 

Often, search results for your website will show up URLs that you have not created. On clicking them, you will be redirected to the spammy website. 

As will any hack, this one should be addressed as soon as possible. Because of its nature, spam links are tricky to find on web pages, and it is always better to use a scanner and an automatic cleaner to get rid of the hack. 



You may also like

Website logs
What are the Different Types of Website Logs?

Imagine driving a car without knowing your speed, engine temperature, or fuel levels. Sounds terrifying, right? Well, managing a website without understanding website logs is a bit like that. You…

What is Cross-Site Scripting (XSS) and How to Prevent It?

Websites can sometimes act strangely, showing unexpected pop-ups or exposing personal information. This isn’t just a glitch—it’s often due to a sneaky trick called Cross-Site Scripting (XSS). You might be…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.