Your WordPress site has spent years building domain authority. Google trusts you. Attackers want to borrow that trust to rank their spam content — and they'll inject it into your site without you ever knowing.
What SEO spam injection actually does
The goal is to rank spam content on your established, trusted domain. Attackers inject:
- Thousands of pages about Viagra, Cialis, and online pharmacies
- Casino and gambling site promotions
- Counterfeit luxury goods (fake Rolex, Louis Vuitton)
- Payday loan and financial spam
- Pirated software download pages
These pages are served only to:
- Google's web crawler
- Visitors arriving from search results
- Visitors from specific IP ranges
When you visit your own site directly, you see nothing. This is why it often goes undetected for months.
The three injection methods
1. Sitemap injection
The attacker adds thousands of spam URLs to your sitemap.xml or generates a dynamic sitemap from injected database entries. Google crawls your sitemap, indexes the spam pages, and your domain starts ranking for pharma terms.
2. Database injection
Spam content is injected directly into wp_posts as published pages, or into wp_options to modify your site's header, footer, or widget areas.
3. PHP file injection
The attacker modifies functions.php or inserts a new PHP file that dynamically generates spam pages based on the URL requested. The output is only shown to specific user agents (like Googlebot).
Detecting SEO spam with WO Security Shield
WO Security Shield runs five independent detection strategies every scan:
Strategy 1 — Hostname check: Extracts the Sitemap: directive from robots.txt and verifies it points to your own domain.
Strategy 2 — Ratio analysis: Counts external hostnames in sitemap <loc> tags. More than 10% external = flagged.
Strategy 3 — Latin keyword regex: A single compiled regex matching 80+ spam terms across pharma, gambling, adult, crypto, and replica goods categories.
Strategy 4 — Unicode detection: Catches Japanese/Chinese/Korean/Cyrillic/Arabic characters in URLs — the primary signal for the Japanese keyword hack.
Strategy 5 — Percent-encoded detection: The same non-Latin characters can be URL-encoded (%E3%83%90%E3%82%A4%E3%82%A2%E3%82%B0%E3%83%A9 = バイアグラ). WO Security Shield detects both raw and encoded variants.
Recovering from SEO spam
- Clean all injected content using the WO Security Shield findings list
- Submit a sitemap reconsideration request in Google Search Console
- Request removal of spam URLs using Google's URL removal tool
- Enable file integrity monitoring to catch any reinfection immediately
For a complete walkthrough of the malware removal process, follow our guide to cleaning a hacked WordPress site. Recovery of lost rankings typically takes 3–6 months after a complete clean-up. The faster you act, the less damage is done.
Monitor your site continuously with WO Security Shield.
How to Detect SEO Spam on Your WordPress Site
The tricky part about SEO spam is that it's designed to be invisible to you. Attackers use conditional logic — the spam only appears to search engines and logged-out visitors from specific referrers.
Method 1: Google Search Operator
The fastest check:
site:yourdomain.com
Scroll through the results. If you see pages in Japanese, Chinese, or with pharmaceutical/luxury brand titles that you didn't create, you're infected.
More targeted searches:
site:yourdomain.com inurl:?p= (finds injected URL parameters)
site:yourdomain.com intitle:viagra (common pharma spam)
site:yourdomain.com intitle:ブランド (Japanese brand spam)
Method 2: Google Search Console
Go to Performance → Pages. Sort by impressions. Look for URLs you don't recognise — especially ones with Japanese characters, pharmaceutical terms, or product names.
Also check: Index → Pages → look for a sudden spike in indexed pages. If your 50-page site suddenly has 5,000 indexed pages, that's SEO spam.
Method 3: Fetch as Googlebot
Use Google Search Console's URL Inspection tool to "View Tested Page" — this shows you what Google sees, including conditional spam that's hidden from normal visitors.
Method 4: Check Your Sitemap
Attackers often inject a secondary sitemap to accelerate indexing of spam pages:
# Check for injected sitemaps
grep -r "sitemap" .htaccess
cat robots.txt | grep sitemap
# Look for auto-generated sitemaps in unexpected locations
find . -name "sitemap*.xml" -type f
Cleaning SEO Spam Step by Step
Step 1: Find the injection point
SEO spam needs to generate pages dynamically. Check these locations:
# Check for modified .htaccess (most common)
cat .htaccess
# Check for injected PHP files creating fake pages
find wp-content -name "*.php" -newer wp-content/index.php -mtime -30
# Check for database injections
wp db query "SELECT option_name FROM wp_options WHERE option_value LIKE '%eval(%' OR option_value LIKE '%base64_decode(%'"
Step 2: Remove the malicious code
- Replace .htaccess with a clean version (Settings → Permalinks → Save)
- Delete any PHP files the attacker added
- Clean the database of injected content
- Remove any rogue sitemaps
Step 3: Request re-indexing
After cleanup:
- Google Search Console → Removals → submit each spam URL pattern for temporary removal
- Submit your clean sitemap to accelerate re-crawling
- Use URL Inspection to request indexing of your legitimate pages
- Monitor for 2–4 weeks — Google needs time to recrawl and update its index
Step 4: Prevent reinfection
SEO spam reinfection rates are high (over 40% within 30 days) because attackers plant secondary backdoors specifically for re-entry.
After cleanup:
- Scan your entire file tree for backdoors
- Change all WordPress, database, and hosting passwords
- Enable file integrity monitoring to catch any future injections immediately
- Install a WordPress firewall to block the initial attack vectors
The Business Impact of SEO Spam
SEO spam doesn't just add junk pages — it actively damages your legitimate site:
- Google Safe Browsing warnings — visitors see "This site may be hacked" in search results
- Ranking drops — your legitimate pages lose authority as Google associates your domain with spam
- Manual actions — Google may impose a manual penalty requiring formal reconsideration
- Recovery time — even after cleanup, recovering your previous search rankings can take 3–6 months
The faster you detect and remove SEO spam, the less lasting damage it causes. This is why real-time file monitoring isn't a luxury — it's essential for any business that depends on organic search traffic.