WordPress SEO Spam Cleanup: The Step-by-Step Playbook

WordPress SEO spam is a hack that injects hidden pages, links, and keywords into your site, usually for casino, pharma, replica goods, or Japanese-language terms, so an attacker can rank their own spam on the authority of your domain. It often stays invisible to you while Google sees thousands of junk pages, and it can tank your rankings and trigger a “this site may be hacked” warning. This is the exact playbook we use to clean it.

What WordPress SEO Spam Actually Is

SEO spam, sometimes called a spam injection or a pharma or Japanese keyword hack, plants content on your site that exists only to help someone else rank. The most common forms are casino and betting pages, fake pharmacy and pill pages, counterfeit-goods pages, and bulk Japanese-language keyword pages.

What makes it nasty is cloaking. The hack often shows the spam only to search engines, not to a logged-in admin visiting normally. So your site looks fine to you while Google indexes thousands of spam URLs under your domain. By the time you notice, your rankings are already falling.

How to Tell If Your Site Is Infected

Run through these checks. Any one of them is a strong signal:

• Search Google for site:yourdomain.com and look for pages you never created, or add a term like site:yourdomain.com casino to surface the spam directly.
• Google Search Console shows a Security Issues warning or “this site may be hacked” appears under your listing.
• Your titles or descriptions in search results show foreign characters, pills, or gambling text.
• A sudden, unexplained ranking and traffic drop.
• The number of indexed pages in Search Console spikes far beyond your real page count.
• New admin users you do not recognize, or files changed at odd times.

If you see spam in Google but not on your own screen, that is cloaking, and it confirms an injection rather than a coincidence.

How the Spam Got In

Across the sites we have cleaned, the entry point is almost always one of these:

• An outdated plugin or theme with a known vulnerability.
• A weak or reused admin password broken by brute force.
• A nulled (pirated) plugin or theme that shipped with a backdoor built in.
• Leaked hosting credentials, such as cPanel, FTP, or SFTP.
• Cross-contamination from another infected site on the same hosting account.

Knowing the entry point matters, because if you clean the spam but leave the door open, it comes straight back.

The Cleanup Playbook, Step by Step

This is the order we work in. Do not skip the backup or the backdoor steps, they are the two most common mistakes.

1. Back up everything first. Take a full copy of the files and the database before you touch anything, so you can always roll back.
2. Map the scope. Scan and decide whether the infection is file-level, database-level, or both. SEO spam is very often in the database.
3. Find the injection. Check recently modified files, look for stray PHP in wp-content/uploads, and scan for obfuscated code like base64 or eval. In the database, check wp_options for tampered siteurl or home values and injected entries, and wp_posts for fake posts and pages.
4. Clean the database carefully. Remove the spam posts and pages, but filter precisely by post type and content. Never blanket-delete by author, since some legitimate form and contact data is stored with no author, and a careless delete destroys real data.
5. Replace core, plugins, and themes. Reinstall WordPress core and your plugins and themes from clean, official sources. Delete any nulled plugin entirely, it cannot be trusted.
6. Remove backdoors and rogue admins. Hunt down hidden admin users, malicious scheduled tasks (cron), and loader files dropped into mu-plugins or the theme. This is the step DIY cleanups usually miss, and it is why spam comes back.
7. Rotate every credential. Change the admin, database, hosting, and SFTP passwords, and turn on two-factor authentication.
8. Harden the site. Apply all updates, enable a firewall such as Wordfence, fix file permissions, and disable the built-in file editor.
9. Clear all caches and your CDN, then scan again to confirm the site is clean.
10. Ask Google to recrawl. In Search Console, request a review under Security Issues, resubmit your sitemap, inspect cleaned URLs, and use the Removals tool for stubborn spam URLs still in the index.

How to Keep It From Coming Back

Once the site is clean, staying clean is mostly routine:

• Keep WordPress core, plugins, and themes updated, every week.
• Use strong, unique passwords and two-factor on every admin account.
• Only install plugins and themes from reputable sources, never nulled ones.
• Run a firewall and malware scanning, and keep off-site backups you can actually restore.
• Better yet, put the site on a care plan so updates, monitoring, and backups happen for you.

When to Bring in a Pro

If you caught it early and it is a small personal site, the playbook above can get you there. Bring in a professional when the spam keeps coming back, when you are locked out, when it is a business site that earns leads or sales, or when you simply cannot afford to get the backdoor step wrong.

Our hacked site rescue does exactly this, fast and at a flat price, and we make sure the backdoor is gone so it does not return. You can also read our WordPress security guide for the prevention side.

Frequently Asked Questions

Will deleting the spam pages fix my rankings?

Deleting the spam is necessary, but it is not the whole fix. You also have to remove the backdoor that created them and ask Google to recrawl. If you only delete the pages, the backdoor usually recreates them within days.

Can I clean SEO spam with just a plugin?

Security plugins are great at finding the infection and cleaning simple file-level cases. But database-level spam and hidden backdoors often need manual work to remove safely, which is why automated scans alone frequently miss the root cause.

How long until Google removes the “this site may be hacked” warning?

Once the site is genuinely clean and you request a review in Search Console, the warning is usually lifted within a few days. The review will fail if any spam or backdoor remains, so the cleanup has to be complete first.

Why does the spam keep coming back after I remove it?

Almost always because a backdoor or a rogue admin user was missed. The attacker uses it to re-inject the spam automatically. Finding and removing every backdoor is the difference between a real fix and a temporary one.