What is SEO Spam on WordPress Websites?

SEO spam hacks are one of the fastest-growing hacks in the WordPress empire and make new victims every day. Looking back at data from the previous year, no less than 51% of the site hacks were SEO spam. Once your website has been hacked, the spam is in a nasty way hidden and can go unnoticed for a long time. Although you are not aware of the spam, it causes damage to your website and your visitors. The longer it stays on your site, the greater the damage.

You need to find and remove the SEO spam as quickly as possible. In addition, you will have to take better security measures to ensure that it will not repeat itself in the future. We will now give you some more information about SEO spam; what exactly happens, how you can get rid of it and how you can prevent SEO spam.

What is SEO Spam?

Minor vulnerabilities on the WordPress website can cause hackers to access your site. Think of vulnerabilities such as a weak password or a vulnerability in an outdated plugin. Once inside, the hacker starts hijacking your SEO performance. Your top pages use by the hacker to place spam search terms and links to other websites.

High rank in Google takes a lot of time and effort, but it brings great benefits. These hackers would rather let you do all the hard work of SEO and digital marketing and then use your website to promote their product or service. This is the reason why SEO spam is also called spamdexing or search engine poisoning (SEP: Search Engine Poisoning).

All WordPress Websites Are Potential Victims:

The hack is so popular because it can target WordPress websites of all sizes. The most common victims are small websites and WordPress blogs that are not secured with SSL certificates or have not taken security measures. SEO spam hacks are well disguised and hidden from the view of the website owner. That is why it is one of the most difficult hacks to detect. You can be hacked for a long time without knowing it.

Which SEO Spam Types Are There?

As soon as a hacker invades your website, there is a cookbook of malicious tactics that he can use. An SEO spam hack is just one of them and can be used in combination with other types of hacks. These are the most common tactics used by hackers for spamming search engines:

1. Addition of Spam Search Terms:

By hijacking your WordPress website, SEO spammers want to rank on their own products or services. They use so-called black-hat SEO techniques and add their keywords throughout your site. It is usually invisible to you and your visitors. When someone searches for these keywords on Google, your website is found on them.

2. Spam Link Injection:

With a so-called spam link injection, malicious links are added that redirect visitors to other websites. Hackers can also use a tactic called clickjacking. With clickjacking, hidden links are inserted under normal clickable content, thereby deceiving the visitor. If you click on it, you will be redirected to another website. In many cases, these are websites that promote illegal products.

3. Create New Pages:

Hackers can also take over your website by creating new pages. In some cases, this concerns thousands of new pages that appear in the search results. These pages are designed to manipulate search engines (and users).

4. Spam Emails:

If hackers have access to your customer database, they can (on your behalf) send emails to promote their product. The e-mail will then be sent from your actual e-mail address, whereby customers have no reason to be suspicious. Only when they are opened are they exposed to the hacker’s tricks. As soon as customers start marking your e-mails as spam, mail servers will eventually do the same. Something that is difficult to repair and can cost you many valuable customers.

5. Banners and Advertisements of the Hacker:

Another method hackers can use for an SEO spam hack is hijacking banners, pop-ups, advertisements or CTAs (calls-to-action) and replacing them with a promotion for their products.

How Does an SEO Spam Hack Work?

With SEO spam, hack code is injected into the files of your WordPress website. The code is then reversed and saved. That is why a spam injection hack is so hard to detect. A PHP function then makes the code look normal again and the hack is executed. This way the hack is made invisible to you and the Google bots are manipulated.

For you, your website will continue to look good and work unchanged. But a Google bot or another search engine bot will see what the hackers want them to see when they crawl and index your website. The code injects things like search terms and links on your site and can also change your titles and meta descriptions. This is how hackers ensure that your website is found on their own search terms.

What Happens to Your Website During an SEO Spam Hack?

An example from practice. The hacker wants to sell (possibly illegal or prohibited) pharmaceutical products such as Cialis online via another website called the Netherlands Medishop (fictional name of a legitimate website that is being hacked). Cialis-related search terms have been added to the top pages of the Netherlands Medishop. This is referred to as black-hat SEO techniques also known as pharma hack. When you search for Cialis (ordering, buying, etc.), the website of the legitimate webshop comes to the fore in Google and the hacker can benefit from it.

Why is My WordPress Site Infected With SEO Spam?

Why Was Your WordPress Website Precisely Targeted?

These hacks are rarely targeted at a specific WordPress site. Hackers no longer break into individual websites manually. They make bots that constantly search the internet, looking for poorly secured websites.

So the popularity and size of your website are not decisive. These bots run through all sites and, once they have found an access point, they come in and add their scripts.

How did a spam hacker get to my website?

WordPress is a very secure platform for building your website. However, like all software, it is also vulnerable. Let’s look at the most common vulnerabilities, which makes hackers stronger.

The Most Common Vulnerabilities of WordPress Sites:

1. An Outdated Version of WordPress:

Statistics show that about half of all hacked WordPress websites ran on an outdated version of WordPress. When detecting security issues, the WordPress team resolves them and then rolls out an updated WP version. If you chose to run your website on an old WordPress version and ignored the update, you left the vulnerability open for hackers.

Tip: Always Keep Your WordPress Up-to-date, Especially if a Security Patch Has Been Released.

2. Vulnerable Plugins and Themes:

Although themes and plugins add useful functions, this can also have a negative impact on your website. Vulnerabilities can sometimes be caused by themes and plugins that do not have the correct security measures. This is because external developers do not always know which security measures are indispensable.

Another cause of hacks is when illegal versions of premium plugins and themes are used. It may be an easy way to get all functions for free, but such software often has pre-installed malware. By installing it on your website, you give hackers access. They can start by injecting spam and links, display content they want and create WordPress backdoors. These back doors are access points that allow them to access your website at any time.

This is why, even if you find and delete the malicious code in your files and database, the backdoor allows them to continue hacking your website. That is why the spam can appear again and again.

You can take measures to prevent such plugins and themes by using premium versions, checking when it was last updated, how many active installations it has and also view their website to see if they are reliable.

Tip: Use Familiar Themes and Plugins From the WordPress Library or Market Places Such as Themeforest and Codecanyon.

3. Weak Username and Password:

Another automated WordPress hacking technique is when bots try different combinations of usernames and passwords a number of times. If you have no limit on the number of login attempts, they can keep trying until they find out. Because it is automated, these bots can try out millions of combinations in no time.

Ideally, you should use unique usernames and passwords because this adds a security layer. Phrases in combination with numbers and symbols are well suited for this.

Is my site infected with SEO malware?

To find out if your WordPress website has actually been hacked or not, you can test in the following way:

Use the Google Transparency Report. Enter the URL of your site and you will see if your website is safe to browse or if it contains harmful content. This is not always accurate in the case of SEO spam because it is a fairly advanced hack, specially designed to mislead you and the Google bots.

Transparency report from Google

Google Search Console:

Google Search Console and Google Analytics are almost indispensable for every WordPress site administrator. Go to Search Console and scroll down to “Security and manual actions.” Click on ‘Security issues’ to see if there are any alarm bells.

If you notice a sudden drop in pages that normally have a high conversion rate, there may be redirects that steal your website traffic. You can also check the overall performance of your website in Google Search Console. Here you can view the types of searches that generate traffic to your website.

Using the Incognito Mode of Your Browser:

Because the hack is not visible to you, you can simulate certain searches using the incognito mode. With “site: {your domain}” you see what others see in Google’s search results and you don’t.

See How Your Website Looks for Google Bots:

You can install an extension such as ‘ User Agent Switcher ‘. Here you can switch to “Google bot” to see what your website will look like when Google bots crawl your site. You may already be able to recognize the hack. Do not forget to disable the extension when you have finished the test.

Online Tools:

There are free online tools that you can use to check if there is malware on your site. These include software tools from Spamhaus and VirusTotal. Unfortunately, accuracy is often disappointing.

Contact Your Hosting Party:

Your hosting party regularly performs security checks on all their websites. You can contact your web hosting company to ask if they can detect or have already detected harmful activities on your site.

Use a Malware Scanner:

This is perhaps the most efficient way to check whether there is malware on your site. These malware scanners are automated and can trace malware quickly. A security plugin such as MalCare has an intelligent scanner that can find all types of malware. Once installed, it searches your files and database, and if there is spam – even if it is hidden or disguised – it will detect it.

These are the ways you can check if you will hack. Warnings about hacks can also occur in the following ways:

  • Google will blacklist your website if any malware detect.
  • Your web host can immediately suspend your account and put your site offline
  • You will see a new admin user that you do not recognize in your wp-admin
  • You may see a plugin that you are sure is not yours
  • If you are lucky, a visitor who has seen the hack can bring it to your attention
  • You can experience a drastic dip in the speed and performance of your site

As soon as you find out that you have been hacked, the spam must be found and removed.

How Do You Remove Seo Spam From Your WordPress Website?

To get rid of the SEO spam, you can try to manually detect and remove it. However, again stressed: hacks with SEO spam are disguised and hidden from you. Finding and removing malicious codes is not enough. The core, or vulnerability, must be resolved. It is about finding back doors that the hacker has created and removing them.

The use of a reliable security plugin is our advice. Such a plugin searches through all your files and folders and identifies suspicious codes and hacks. Thanks to the software you do not have to manually delete files.

After Removing the Hack:

After the plugin has removed the threat, there are preventive measures you need to take to keep your website clean and protected from future attacks. We recommend that you complete the following steps:

  • Update your WordPress installation, your theme, and installed plugins. Always make sure you use the latest versions.
  • Remove all inactive themes and plugins.
  • Apply additional security measures, such as limiting login attempts, blocking PHP execution in certain folders and optimizing passwords.


If you have a WordPress website, take the necessary measures to keep your site safe. Online danger lurks in various appearances and can strike at any given moment, without your knowledge. Our most important advice:

  • Install and activate a trusted WordPress security plug-in.
  • Make a complete backup of your website, so that you can restore your website in an instant.
  • Have you been hacked and has the problem resolved? Take the necessary measures against possible future hacking attempts, as described above.