SEO spam injection attacks are a nightmare.
They are well-disguised, hidden away from plain sight. And the longer they stay on your site, the more damage they do. Since they are hard to detect, many site owners don’t notice it until it’s too late.
But you are among the lucky ones. Your security scanner detected it. Or was it Google Search Consoles or an SEO tool showing your site is ranking for “cheap Gucci bags,” or something of the sort.
That said, finding and cleaning SEO spams are tricky. This is why even after removing it, many websites experience re-hacks.
Over the past decade, we’ve helped thousands of clients remove all traces of SEO spams from their websites. We’ll show you the exact steps we’ve been taking to clean SEO spams.
Along with this, we offer tips on how to ensure you never become a victim of SEO spam hacks again.
TL;DR: To remove the spam from your site install this WordPress SEO spam removal plugin. It’ll clean your website under 60 seconds. It’ll also scan your website on a daily basis and protect it from hackers and bots. This will help prevent future hack attacks.
What Is SEO Spam?
SEO spam, also known as spamdexing, is an attempt to use your website to rank content that won’t rank otherwise. This is a black hat SEO technique. Hackers use it to generate revenue but in the process, they spam & destroy your website.
Why is it called SEO spam?
You probably know that SEO stands for search engine optimization. Businesses use SEO tactics to optimize the content of their websites so that they rank on search engines like Google.
SEO is not considered spam by default. But certain SEO tactics are considered black hat.
If Google finds out that your website is engaging in black hat SEO, they will ban you from the search engine.
This is why spam hacks are so dangerous. Hackers break into your website and use black hat SEO techniques to rank their own products or sites. In the end, they make a lot of money and your website is left in ashes.
How do hackers gain access to your site in the first place?
Hackers gain access to any website via an outdated plugin or theme or weak credentials.
Outdated plugins and themes contain vulnerability that the hacker exploits to break into your website and injects virus like favicon.ico malware, wp-feed.php malware etc;.
They might even deploy bots to your login page to try and guess your username and password. Bots can try out hundreds of credentials within a few minutes. They can crack weak credentials in seconds and again access to your admin dashboard.
Once they have access to your admin dashboard, they start injecting SEO spams into your posts and pages.
If you have just learned that your site has SEO spam, you need to clean it thoroughly. We’ll show you the steps you need to take in the next section.
But if you wish to gain more knowledge about SEO spam on WordPress, why hackers distribute it, and how it impacts your site, jump to this section.
How to Detect & Clean WordPress SEO Spam Hacks?
You may have detected the following signs indicating the presence of SEO spam on your website:
- Warnings in Google Search Console
- Deceptive site ahead Warning, this site may be hacked warning in Google search results
- A sudden drop or increase in traffic
- Unexpected ads
- New pages and posts
- Unusual anchor text like “buy viagra” or “cheap Gucci shoes” or Unusual Japanese characters
An online scanner like Sucuri SiteCheck may have detected traces of SEO spam on your site. But now, you need a proper dedicated scanner to hunt down every single spam script on your site.
The MalCare Security Scanner is the best plugin for the job.
Its primary focus is to detect every trace of the malware on your website. To achieve this it takes the following steps:
- Dig deep, look into every nook and corner to find SEO spam scripts.
- Identify well-disguised or new types of malware hidden in your site.
Let’s get that malware once and for all.
Detecting SEO Spams
Step 1: Download and install MalCare Security on your WordPress website.
Step 2: On your WordPress dashboard, go to MalCare, enter your email address, and click on Secure Site Now.
Step 3: Next, enter a new password and add your site to MalCare’s dashboard.
The plugin will immediately start scanning your site. It’ll take a few minutes for the process to complete. When MalCare finds malware on your website, it’ll inform you about it.
Once malware is detected, you need to clean your site immediately. The longer you wait, the more damage you will incur.
Cleaning SEO Spams
Step 1: On its dashboard, MalCare will inform you that your site is hacked.
To remove the hack, i.e., SEO spam, click on Auto-Clean.
MalCare will start cleaning your website immediately.
Please note that Auto-Clean is a premium feature and you’d need to upgrade to use it. You can clean one site for $99. The license will last for a year and within that time frame, you can clean your site as many times as you want. But if you have MalCare installed on your website, it’ll protect you from hackers and bot. So you don’t really need to clean your website ever again.
If you want to clean and secure your site with other security plugins, then check out this list of Best WordPress security plugins.
How To Protect Websites From SEO Spam?
Removal of SEO spams does not guarantee your site’s safety in the future.
Sure you can install a security plugin and it will secure your site on many fronts. But security is a shared responsibility. You have to do your bit.
Here, we’ll discuss which security measures can be left for a security plugin to handle, which ones do you need to shoulder.
1. Using a Firewall
A firewall sits between your website and the traffic trying to access your site.
Before anyone accesses your site, the firewall investigates whether it was involved in any nefarious activities in the past. If it was, then the traffic from country or device is promptly blocked.
If you cleaned your website with MalCare, you don’t have to worry about installing a firewall plugin. MalCare offers an in-built firewall and it’s automatically enabled as soon as you install the plugin on your site.
2. Protecting Your Login Page
The login page is the most vulnerable page on a WordPress site.
It is the gateway to your website. Hence hackers target this page more than any other page on the site.
Hackers try and find the right combination of username and password so that they can break into your site. This type of hack attack is called the brute force attack.
They even design bots to try hundreds of combinations within minutes.
User accounts with unchallenging usernames and passwords are easily cracked.
To prevent such a catastrophe from happening, you need to take the following steps:
- Ensure all users are using unique usernames and strong passwords.
- Limit the number of failed login attempts.
This is a perfect example of security being a shared responsibility.
You need to talk to your users to ensure they are using strong credentials. But you also need a security plugin to enable CAPTCHA protection.
If you have MalCare installed on your site, then CAPTCHA-based login protection is already enabled. Three failed attempts to log into your site will block the user from making more attempts.
There are a few more things you can do to protect your login page. We’ve compiled a list here – WordPress Login Security Guide.
3. Keeping Your Site Updated
From time to time, plugins, themes and the core of your website require an update.
Sometimes you defer updating your site until you have the time to. This is a big mistake.
Updates not only bring in new features but also security patches. Without them, the plugin or theme or even the core is vulnerable. Hackers take advantage of this vulnerability to hack your website.
The point is you need to keep your site updated. Check your site regularly for new updates.
It’s annoying to have to check for updates regularly, so many managers tend to automate their updates. However, automatic updates are known to break websites, and therefore, it’s advisable.
Here’s a guide on how to update WordPress sites safely.
4. Employing Least Privileged User Principles
On a WordPress website, users are assigned one of the following roles:
- Superadmin (in multisite installs)
- Administrator
- Editor
- Author
- Contributor
- Subscriber
Not every user can access everything on a website. Every role has a set of powers.
The super admin and admin are bestowed with the highest power and the subscriber with the lowest
Admin roles are exploitable therefore assign user roles carefully. Here’s a great article on which roles enable what kind of power – WordPress Roles and Responsibilities.
By taking the steps we have listed above you are laying a foundation for website security. You can build on that. You can take many more security measures. Here’s an exhaustive list of WordPress security measures you can take.
Why Do Hackers Want to Distribute SEO Spam?
The main motive behind SEO spam on WordPress is to generate money by scamming people. To be more precise, by scamming your visitors.
Hackers gain access to your site via a vulnerability like a weak password or an outdated plugin.
Once inside, they find your top-ranking pages and carry out the following activities:
- Inserting links of their site into existing pages
- Adding spam comments to your posts and pages
- Redirecting your pages to other websites
- Creating new posts and pages with links and spammy content, etc
Their goal is to drive traffic away from your scam website.
Ranking on Google takes a lot of effort. So instead of putting in all that effort, they are piggybacking on your website rankings.
Hackers target WordPress websites of all sizes and not necessarily just the large ones. The most common victims are small websites, NGOs, and WordPress blogs who take their site’s security lightly.
Types Of WordPress SEO Spam Attacks
There are 5 different types of SEO spam on WordPress that hackers carry out on hacked websites. They are:
- Spammy Keyword Insertion
- Spam Link Injection
- Creating Spam Pages
- Display Spam Ads And Banners
- Spam Emails
Hackers can use a combination of the above tactics on a hacked website. Let’s take a look at what each tactic entails:
1. Spammy Keyword Insertion
Hackers insert keywords like “cheap Gucci shoes” or “buy Viagra” into the existing content of your website. Search engines come to think that the content is about “cheap Gucci shoes” or “buy Viagra.” They start ranking your content for those keywords.
2. Spam Link Injection
Visitors looking for “cheap Gucci shoes” or “buy Viagra” come to your site and they click on the links implanted by hackers to go to scam sites claiming to sell those products.
3. Creating Spam Pages
In websites with large numbers of posts, hackers create new pages with spam content. These pages are stuffed with keyword links pointing to scammy websites. These pages rank quickly because your site already has a good search engine ranking.
4. Display Spam Ads and Banners
Banners and popup ads draw attention and convince people to click on them. Hackers utilize them in the pages they are publishing on your site. Clicking on the ads will inevitably lead your visitors to scam sites.
5. Spam Emails
If hackers have access to your site’s database, they will have access to your customer emails. They can start sending emails to promote products. The email will be sent from your legitimate email address which customers will think is trustworthy. Customers will end up buying products they’ll never receive.
Customers will lose trust in your business and they’ll start flagging your emails as spam. Mail servers will mark you as spam. This is hard to recover from and you can lose valuable customers for good.
How Does SEO Spam Affect Your Site
To explain what happens to your website when it’s under a spam attack, we’ve taken a real-life example to illustrate.
In this case, the hacker wants to sell illegal or banned pharmaceutical products online such as Viagra and Cialis through a website called ‘Canada Drugs’.
They’ve inserted the keywords ‘Viagra and Cialis’ into the top-ranking pages of websites they hacked. This is referred to as the black-hat SEO techniques also known as pharma hack, when someone wants to buy these drugs online, these websites ranked.
We typed in “buy Viagra Cialis online” in Google’s search bar and these were the results we got.
The websites that ranked for this keyword were not pharmaceutical ones but rather:
- The ‘About’ page of an eco-friendly company
- The ‘tariff details’ page of a French music festival’s website
- The beverage page of the menu of a Mexican restaurant
Do you see how random that is? They target any site that’s easy to attack.
Now, we mentioned earlier that it is one of the most difficult ones to detect. This is because it’s done in such a way to hide it from you and allow only search engine bots to see it.
When we accessed the first website directly by typing the domain name in the address bar, the pages looked normal.
But if we searched for it on Google and then clicked on the link to this site, it displayed the spam page that promotes the hacker’s pharma website ‘Canada Drugs’. Hacks go undetected for a long time as the owner can’t see it normally.
As a result of SEO spam on WordPress, your site will experience the following impacts:
- Your pages are hijacked so they will start raking for the wrong keywords. This means no one is buying your product or services. Therefore you will experience a loss in revenue.
- Since your site is ranking for wrong keywords, all your SEO efforts are wasted.
- Visitors coming to your site are redirected to scam websites where they will pay to buy products they’ll never receive. This will impact your reputation and trust. The next time anyone finds your site on the search engine, they will be careful to not click on your link.
- When your hosting provider and search engines find out that your site is hacked, they will suspend and blacklist your site as well as your adwords account.
- Loss of customer information will result in loss of trust which will ruin your business.
What Next?
Congratulations on removing SEO spams from your WordPress website.
Unfortunately, that’s not the end of it. Once you are hacked, you may experience re-hacks. This is why taking protective measures is so important.
- Install and activate an effective WordPress security plugin such as MalCare on your site. The plugin has a firewall to block spam, malicious bots, and hackers.
- Take a complete backup of your website using a WordPress Backup Plugin so that when your website goes down, you can restore it back to normal in a jiffy.
- Also, harden your website to ensure that it remains protected from future hack attempts.
Protect your website 24 x 7 with MalCare Security Plugin