How to Find and Remove Spam Link Injection in WordPress?
If one of your website visitors reports seeing spam links on your website, there is a good chance your website is infected with the spam link injection hack.
Some typical symptoms of WordPress spam link injection are:
- Spam links on your website; usually of illegal or grey market products
- New pages that you haven’t created
- Weird meta descriptions when your website appears in search
It is a common hack piggybacking on your website to redirect traffic and boost the SEO of spam websites.
Don’t worry, all is not lost. We will help you get rid of the spam link injection hack in WordPress and restore your website to its former pristine glory. This article is a step-by-step guide, or you can use the links below to jump to the information you need.
Spam link injections in WordPress are a type of hack that uses your good website to create backlinks to spam websites. Often these websites are for articles or services that are grey market or illegal.
The website in the screenshot below has a spam link injection hack, and yet nothing odd shows up on the homepage.
Essentially, a hacker has inserted spam links from your web pages to their spammy website. You may find these links in posts or even cleverly hidden in the headers of pages. Alternatively, they could have created entire web pages on your domain that redirect to their websites.
Revisiting our example from before, it shows up in search results for grey market pharmaceuticals, as shown in the screenshot below.
On clicking that search result, the page redirects to “Online Pharmacy”. Since the original website is about sustainable fuel, this pharmacy is in no way connected to it. [Ironically, the genuine website doesn’t have SSL installed, whereas this website does.]
Another, more insidious flavour of the spam link injection hack resides in your database. This infection is particularly hard to shift, and requires quite a bit of development expertise to remove successfully.
In this article, we are going to show you how to diagnose a spam link injection hack on your WordPress website, and how to remove spam links from WordPress.
The easiest method is to use MalCare free online scanner to assess the extent of the infection, and then clean it automatically in 1 click.
The trouble with this hack—and most other ones—is that the website owner is usually the last to find out about it. Understandably, hackers and their illegal activities thrive most when they pass undetected for as long as possible.
Therefore, if you suspect you’ve gotten a spam link injection hack, you could’ve found out in one of these ways:
Spam links on your website
Spam links and pages are typically hidden from the website administrators by clever hackers, in order to avoid detection and removal. So chances are a visitor spotted strange, unrelated links on your website and brought it to your attention.
This is the very worst way to find out, in our opinion, considering this visitor came to your website for legitimate reasons.
URL injection on Google Search Console
If you logged into Google Search Console for any reason, and came across an unexpected alert. A spam link injection hack presents as “URL Injection” on the search console, and Google helpfully lists out some of the sample spam URLs on your domain alongside.
Try opening one of the sample URLs from the list. Even though the page is ostensibly on your domain, it will redirect to a spam website without fully loading the page.
Web host suspended your account
There are a few reasons why a web host would suspend your account and website. Good web hosts usually also send an email with details of suspension.
Hacks are just one of the reasons, albeit the most serious reason. Web hosts take hacked websites very seriously, as it causes them a significant amount of grief to have a hacked website on their server.
If you suspect a hack, or are alerted to the possibility of one, you can confirm whether your website is hacked or not by scanning your website.
This is the quickest way to determine if your website has the spam link injection hack. Scan your website right now, to get a sense of the extent of the hack. Then, proceed to use the cleaner to remove malware in a single click.
The scanning and removal process happens on the plugin servers, so your server resources are not used. This is a significant advantage, as hacked websites tend to pull a lot of resources to begin with, and this can cause issues with your web host, too. You do not need the additional hassle at this crucial juncture.
Some security plugins are notorious for false positives during scanning, unlike MalCare. You may want to reconfirm that your website does indeed have a spam link injection hack. Here are ways you can check:
Google your website
When your website appears in the SERPs, you might expect to see the metadata that you have set up. However, a hacked website will often show gibberish in the meta description, or you will see unrelated pages that you have not created show up on the search results.
Blacklisted by Google
On clicking the search result, you might see a Google blacklist warning. This is when Google has detected your website has been hacked, although it won’t clarify what type of hack has occurred.
Alternatively, if your website has not progressed to that stage as yet, you may see a “This site may be hacked” warning in the search results itself.
Use an incognito browser to visit your website
Hackers can cleverly insert malware so that it is undetectable by logged in admin users. Use an incognito browser or another machine to visit your website. Make sure you aren’t logged in. If you see pop ups and spam links on your website, you know you’ve been hacked.
Similarly, you may also find web pages that you didn’t create.
Check your website code for anomalies
This is a slightly more advanced method to check for a hack. Navigate to a post or page, and use Inspect Element on your browser. In the header section, there may be code that contains links, either in cleartext or obfuscated. You may see spam URLs clearly legible.
Check Google Analytics for malicious keywords.
Your traffic should be coming in from relevant keywords. If you see that you’re getting traffic for keywords like “buy viagra online”, or “cheap gucci bags”, or spammy keywords, you can be sure your website has been hacked.
All this may seem daunting and worrisome. However, don’t worry! Hacks are easy to clean with the right tools. The important thing is to stay calm and read on.
There are 2 ways you can remove the spam link injection from your WordPress website:
As you can imagine, we strongly recommend that you use a security plugin to remove spam links from WordPress. We will outline steps for manual cleaning as well, however please note that it should only be attempted if you are very familiar with WordPress files and its database, and can confidently navigate code.
1. Use a security plugin to clean the infection instantly [RECOMMENDED]
When your website is hacked, time is of the essence. Install MalCare to instantly remove the spam link injection hack.
This is the easiest and most efficient way to rid your website of a hack. A good security plugin will not only detect the malware, but also remove it surgically, without affecting the core files of your website. Therefore, the files that you require stay put and functional.
Note: Not all security plugins will be able to do this. Auto clean is a feature of MalCare, and is based on an intelligent malware detection system.
The real advantage of a security plugin is that it ensures that you avoid reinfection. We will cover that in a subsequent section.
It is of course possible to remove malware manually, however there are several downsides to doing so. Before we take you through the steps to rid your website of its hack, we want to quickly signpost the dangers of manual malware removal.
- Cleverly concealed malware: Hacks are most successful when they remain undetected for as long as possible. Therefore, malware is usually hidden carefully in files and folders, and are not immediately detectable.
- There may be backdoors: Hackers will leave means for them to regain access to your website in case the current hack is removed. These backdoors are very well hidden, and you will see your website getting repeatedly hacked because of them.
- You have to remove the root cause of the malware: Why did your website get hacked in the first place? Was it a vulnerability, or perhaps a compromised password? Unless this cause is addressed, reinfections will occur.
- You can inadvertently remove legitimate code: The chances of this are relatively slim, but assuming your website has a few plugins, it is sometimes difficult to distinguish between actual code and malware. Deleting good code will break your site.
Right, now that we have gotten the caveats out of the way, let’s look at how to remove malware manually from your website.
1. Take a backup of your website
Before you do anything else, take a backup of your WordPress website. Even though it currently has an infection, it is still a working website. This way, even if you go wrong and render your code unusable, you can at least get it back to this working stage.
A backup would be helpful, because a hacked website can be fixed by experts, but websites with key files missing are very difficult to resurrect, and will cost you a great deal more.
2. Scrutinise the website for unusual files
Log into your FTP client, and look carefully at the list of files and folders. Are there any files (often PHP files) that aren’t meant to be there? They may look innocuous, however opening them up may yield some clues.
Hacks are often written in unreadable or gibberish code. This is obfuscated code, and is meant to be difficult to understand. Since you have a backup, you can afford to delete these gibberish functions to remove the malware.
Additionally, check your posts and pages in the wp-content folder. Spam link codes are usually hidden in the header section of those pages, and are coded in a way that they are invisible on your website, such as:
<div style=”position: absolute; top: -132px; overflow: auto; width:1259px;”>
If your website is large, this step can take a great deal of time. However, ensure that you are thorough when searching for these bits of malicious code, because leaving anything in can lead to reinfection.
3. Flush the cache
Once you’ve deleted all the malicious code, flush the cache so the cleaned files load correctly.
Download a fresh install of the same version of WordPress that is currently installed from the repository. You can replace everything on your website barring the wp-config file (which has your database info) and the wp-content folder (which contains your plugin and theme information).
Replacing your WordPress installation will mean that you are eliminating the possibility of malware in your core files.
5. Reinstall your themes and plugins
Assuming that you are using legitimate versions of your themes and plugins, and have downloaded them from secure sources, you can assume that a vulnerability in one of them will be fixed with an update.
It is worth spending a little time researching news to check if any of the plugins you have installed have recently experienced a breach. Ideally, reputable developers will release a security fix in the form of an update. If this is not the case, opt for an alternative that is actively maintained instead. This will stand you in good stead in the long term.
6. Clean your database
Unfortunately, infected files in a database are very difficult to remove, because you need to look for PHP functions and spammy links contained within the tables and data. While spammy links may be easy to spot, PHP functions can be pieces of necessary code.
If you choose to go this route, download the database and look for functions, such as eval, gzinflate, shell_exec, and base64_decode.
Alternatively, if you back up your website regularly (as you should), you can use the database from a previous version that you are absolutely sure doesn’t have any malware. Obviously, this method is not foolproof, and you may just remove a significant portion of changes and updates you have made since, and still have to contend with malicious code.
Your WordPress website got hacked because it has a vulnerability issue or at least one of your passwords was compromised. Now that you have cleaned the spam link injection hack one way or another, you need to take steps to ensure it doesn’t happen again.
- Update everything: That includes WordPress, themes and plugins. We keep reiterating this advice, because it really is that critical for your website security. New versions contain security patches that address vulnerabilities in older versions.
- Get rid of nulled software: Free software can have titanic costs in the long term. It is not worth the initial benefit of not having to pay for a plugin. Later on, when vulnerabilities are discovered in it, the costs of attacks are far higher than any amount you would have saved by installing them.
- Check for backdoors: A backdoor allows the hacker to regain access to your cleaned site, especially if you have manually cleaned out the malware. It takes security expertise to find and remove backdoors effectively, as they are usually hidden quite well. Hackers may also have created admin accounts, so it is worth going through authorised accounts to reconfirm if they belong to users.
- Change all passwords: Ideally, you would be using different passwords on different websites. After cleaning your website, change all the access passwords. Additionally, change the database password. This puts up an additional barrier to being re-hacked. Also, if your password was compromised, changing it will effectively plug the security loophole that allowed the hack to occur in the first place.
We often hear from people that they had security scanners and plugins installed, and still got hacked. It is important to remember that security plugins are not 100% proof against hacks, which is why most plugins have a manual cleanup service as well.
MalCare, for instance, has bundled unlimited manual cleanups for free with the plugin subscription. Anything you cannot remove with one click, a team of professional security experts will remove for you quickly and efficiently.
The advantage of having a security plugin is that it will protect your website pretty well by neutralising most of the attacks. For those that do get through, the causes are usually vulnerable plugins and/or compromised passwords.
A hacked website is a nightmare for a website owner. Not only is your website affected, but your visitors are at risk of having their data and identity compromised. The website takes an SEO and therefore a financial hit, especially if you have a web store, or earn money with your website.
You have spent resources on getting your website to where it is. That can all be wiped away very quickly by a hack. It is critical to act fast when your website is hacked, because the damage increases exponentially with time.
We hope that this article was helpful in removing the WordPress spam link injection from your website. Hack removal is only one of the pillars of website security. It is worth spending some time setting up a strategy to safeguard your website from future incidents.
The quickest and easiest way to remove spam links from WordPress posts is to use a malware scanner and cleaner. A scanner can check your WordPress files and folders, in addition to your website’s database rapidly.
Spam links are a symptom of a malware attack known as spam link injection. The hacker inserts links to their spammy websites for dubious products and services in your website, in order to boost their SEO reputation. The links are often invisible on the website, and are hidden via CSS tricks in the website code.
Related resource: remove seo spam from WordPress
How to find WordPress pages affected by URL injection attack?
Use a malware scanner and cleaner to detect and remove spam from WordPress web pages.
Spam links and malicious code can be hidden very cleverly by hackers in the files and folders of your website, and sometimes in your website database as well.
If your website has lots of web pages and perhaps a large database of content, manually sifting through each one’s code will be a huge undertaking and you will be prone to missing things. It is best to get a scanner to do the heavy lifting, and surgically remove the malware for you.
Spam links on a website are heavily penalized by Google, so you are essentially not just looking at a hacked website, but all the attendant hassles of one. Your visitors will not have a safe browsing experience. You will lose SEO ranking, and therefore your traffic will take a hit. If your website is a source of income for you or your business, all that will be affected negatively too.
As with any hack, time is of the essence when it comes to removing it. The impact becomes exponentially worse the longer a hack is left unaddressed.
Spam link injection in WordPress is a malware attack where your legitimate, good quality website is used to bump up the SEO ranking of a website selling grey market or illegal products or services (read: pharma hack).
Hackers accomplish this attack by exploiting a vulnerability on your website, and inserting spam links into your pages. These spam links are often invisible to you, as they make use of CSS tricks not to show up on your website directly. However, when Google’s bots crawl your website, they will find these links.
Often, search results for your website will show up URLs that you have not created. On clicking them, you will be redirected to the spammy website.
As will any hack, this one should be addressed as soon as possible. Because of its nature, spam links are tricky to find on web pages, and it is always better to use a scanner and an automatic cleaner to get rid of the hack.
Karishma was an engineer in a former life, and so she specialises in making tech more accessible through communication. When she isn't writing, Karishma spends her time tinkering in the innards of WordPress websites