Learn How to Remove SEO Spam from Your WordPress Website

Brian Bojan Dordevic
About The Author

Brian Decoded

President at Alpha Efficiency

Join me at the forefront of web design and digital marketing innovation. I am obsessed with web design, business philosophy and marketing performance.
I write Conversion Insider newsletter.

SEO spam injections are often well disguised and hidden away from the eyes of owners. They do more damage the longer they stay on your website, but many owners don’t notice them until it is too late. They are very tricky to find and clean, and many websites experience re-hacks even after their removal.

What is SEO spam?

SEO spam, also known as spamdexing, is a black hat SEO technique where hackers use your website to rank their own products or sites. Once Google finds out that your website is engaging in forbidden SEO tactics, they will ban you from the search engine. By that time hackers have already made a lot of money over your back and you are left without the most important source of prospects and revenue.

How do hackers gain access to your website?

SEO takes a lot of time and hard work. So instead of doing it themselves, hackers exploit outdated plugins and themes that often contain vulnerabilities to gain access to your website. They can also deploy bots to your login page. These bots attempt to crack your username and password and gain access to your admin dashboard by trying out hundreds of credentials within a couple of minutes. Once they do that, they did the hardest part of their work. Now, all they need to do is SEO spam into your posts and pages so your website would start making money for them. They do this by finding your top-ranking pages and carrying out these activities among others:

  • Inserting links of their website into existing pages
  • Adding spam comments to your posts and pages
  • Redirecting your pages to other websites 
  • Creating new posts and pages with links and spammy content

Hackers aim to drive away traffic from your site, and they don’t necessarily target only large ones. The usual victims are small websites and WordPress blogs of users that take their website’s security lightly.

Finding and cleaning SEO spam link injections

What are the types of SEO spam attacks?

There are five different types of SEO spam:

  • Spam keyword insertion – Hackers insert keywords that they wish your website to rank for into the existing content. The search engine then recognizes those keywords and starts ranking your website accordingly.
  • Spam link injection – Your visitors click on the links implanted by hackers which leads them to spam websites claiming to sell those products.
  • Creating new pages – If your website has a large number of posts, hackers will create new pages with spammy content crowded with keyword links pointing to spammy sites. These pages rank easily since your website already has a high search engine ranking.
  • Display banners and ads – Banners and pop-up ads are perfect for drawing visitors’ attention. Once your visitors’ click on banners implemented by hackers, they are led to spam sites.
  • Spam emails – Hackers that have access to your website’s database also have access to your customers’ emails. They use your email address to send emails in which they promote different products. Since your customers find your address trustworthy, they may end up buying products, but never receiving them.

It is needless to say that this kind of practice makes your customers lose trust in you. They will probably start marking your emails as spam. Once that starts to happen, mail servers will also mark you as spam. This is not easy to recover from and you will most probably lose valuable customers forever.

How does SEO spam affect your website?

Let’s say hackers want to sell watches. They will hack a website, find its top-ranking pages, and insert keywords such as buy watches online. Once a person types in buy watches online, an ad coming from a hacked website will appear. Those websites can range from an About page of an automobile company to the menu page of a Chinese restaurant. Basically, any website that is easy to hack.

Once the user clicks on the ad, they will be redirected to a spam website pretending to sell watches. The user may then spend money, but the only sure thing is that they will never receive what they paid for. 

These kinds of spam are very difficult to detect because they are conducted in a way to hide them from the website owner and allow only search engine bots to find them. If you would access the website directly by typing the domain name in the address bar, the pages would look normal. But if you look for it through a search engine, the spam page will be displayed. This is the biggest reason why hackers go for a long time without being detected.

Now, let’s look at the damage done to your business:

  • Since hackers had inserted their own keywords into your site, it will start ranking for those keywords instead of yours. Soon you will see a drop in sales and experience a loss in revenue.
  • You can consider that all the energy and effort invested in SEO was waste of time.
  • As your visitors are now being redirected to a website where they will pay for a product they will never receive, your reputation and trust are being damaged. Next time someone finds your website on search engines, they will be careful not to click on the link.
  • Your website will be suspended and blacklisted the moment the search engines and your hosting provider find out that it is hacked.
  • Loss of customer information will also lead to a loss of trust and you will find it extremely hard to put your business back on its feet.

How to check if your website has fallen victim to spam links?

If you suspect that somebody hijacked your website, here are a couple of steps you can take to check whether or not you have fallen victim to hacker attacks:

  • Check if Google blacklisted you – Since malware is implemented into your website in a way that is hard for you to recognize, chances are Google will notice it before you do. If they find malware on your website that will harm users, they will blacklist you. They will notify you that your site has been blacklisted due to the presence of malware via email. Also, a warning or a notification will be displayed to users trying to access your website, as well as on the SERP so they can see it before they click on your link. User experience is Google’s top priority. Therefore they will react fast to provide their users with a safe environment.
  • Check if your web host suspended you – As same as Google, your web host will also suspend your website in case they find malicious software on it. You will get a notification, and depending on the provider, they will either inform you that there is malware present or you might have to contact them for information. Web host providers suspend hacked websites because they usually exceed allotted server resources. Also, in case you are using a shared server, you may put other websites at risk.
  • Check Google Analytics and Search Console for malicious keywords – Google Analytics allows you to see which keywords generate traffic on your website. If you see the traffic coming from the keywords that you did not specify, you can be sure that your website is hacked.

How to find and clean spam link injections?

We have already talked about how much this hack is complicated and hard to fix. There are two ways to find and clean your website:

Finding and cleaning spam link injections manually

This is an extremely hard and complicated task. Most of the time, the spam will simply regenerate no matter how much effort you put in. There are usually two reasons for that:

  • A vulnerability on your website allows hackers to access it at will
  • The injected malware uses cron jobs which is a way of creating backdoors on your website every other day

However, if you choose to try out this method, here is how to do that:

Scanning files and removing malicious code

Login to your hosting account and go to cPanel > File Manager > public_html

Here, you can find three folders: wp-admin, wp-includes, and wp-content.

Search for malicious code in all your files. Hackers use styles that hide to prevent links from being visible inside the page. That should look something like this:

<div style=”position: absolute; top: -132px; overflow: auto; width: 1259px;”>

After you have found the spam codes, all you need to do is delete them. If you are lucky, the spam code will be the same on all your pages.

Scanning and cleaning your database

Click on cPanel > phpMyAdmin from your hosting dashboard. Find your database on the list on the left side and choose Export. Leave the default settings at Quick export and SQL format. After you have downloaded the database, open it as a .txt file in Notepad.

Now look for PHP functions like base64_decode, gzinflate, eval, and shell_exec. Although these are not the only PHP functions that hackers use, they are the most common ones. Remove these functions by editing out the malicious text or deleting the record. After you clean the database, import it back into your website using phpMyAdmin.

Keep in mind that these PHP functions are not always malicious. If you delete non-malicious ones you can break the functionality of your website.

Now, all you need to do is tend to the vulnerability of your website. We suggest the following actions:

    • Change all of your passwords
    • Update your WordPress to the latest version
    • Check your users to make sure there are no unknown ones
    • Limit the number of people who have admin access. You can allow editor and subscriber access to those that don’t need admin access.
    • Implement two-factor authentication
  • Limit the number of login attempts
  • Disable file editor
  • Delete inactive themes and plugins
  • Update the themes and plugins you use to the latest version
  • Don’t use pirated versions of themes and plugins
  • Check details of your themes and plugins in the wordpress.org repository
  • Use trusted web host with good security measures
  • In case you are using a shared server, think about moving to a dedicated one

Let Alpha Efficiency check and clean your website

Not only it is complicated to clean your website manually, but it may also not solve your problem. Spam injections are very hard to recognize, even to a trained eye. And what is even worse, after all your hard work in combing your website and cleaning it, the spam injections are most likely to come back in a day or two.

Alpha Efficiency is a team of educated professionals with many years of experience in dealing with malware. Our SEO agency near Chicago will search your website for spam injections, get rid of them, and upgrade the security of your site while providing feedback every step of the way.

With Alpha Efficiency as your partner, you can rest assured that your SEO efforts are protected and your business reputation safe.


Fresh inspiration is a fingertip away,
Download Our Portfolio.

Download Our Portfolio