How to Protect WordPress from SEO Spam and Pharma Hacks

Introduction

SEO spam attacks inject hidden content, links, and redirects into WordPress sites to boost attacker-controlled sites in search results. These "pharma hacks" can devastate your search rankings and trigger Google penalties.

Understanding SEO Spam Attacks

Attackers use several techniques to inject spam:

• Hidden text - Invisible content stuffed with keywords
• Doorway pages - Auto-generated pages targeting search queries
• Link injection - Hidden backlinks to spam sites
• Conditional redirects - Redirect search traffic to spam sites
• Cloaking - Show different content to Googlebot vs visitors
• Sitemap hijacking - Add spam URLs to your sitemap

Signs Your Site Has SEO Spam

Watch for these indicators:

• Sudden traffic drop from organic search
• Google Search Console security warnings
• Strange pages appearing in search results
• Spam keywords in site:yourdomain.com search
• Outbound links you did not add
• Unknown files in uploads directory

Detecting SEO Spam

Scan your site for hidden spam content:

Search for Hidden Content

Create a function to scan for SEO spam patterns:

• Search for CSS hiding techniques: display:none, visibility:hidden, negative text-indent
• Look for suspicious keywords: pharmacy terms, casino, replica products
• Query the posts table for published content containing these patterns
• Build an array of infected post IDs with details about what was found
• Return the results for admin review and cleanup

Find Conditional Redirects

Check critical files for cloaking and redirect injections:

• Scan .htaccess for user-agent based redirects targeting Googlebot
• Look for HTTP_REFERER conditions that redirect search traffic
• Check wp-config.php for eval, base64_decode, or gzinflate injections
• Examine theme files for conditional logic based on user agent
• Review functions.php for suspicious redirect hooks

Removing SEO Spam

Clean infected content systematically:

Database Cleanup

-- Find posts with spam content
SELECT ID, post_title
FROM wp_posts
WHERE post_content LIKE '%viagra%'
   OR post_content LIKE '%cialis%'
   OR post_content LIKE '%casino%'
   OR post_content LIKE '%display:none%';

-- Find spam in comments
SELECT comment_ID, comment_content
FROM wp_comments
WHERE comment_content REGEXP 'http.*.(ru|cn|tk)'
   OR comment_author_url LIKE '%pharmacy%';

-- Check for rogue users
SELECT ID, user_login, user_email
FROM wp_users
WHERE user_email LIKE '%@%.ru'
   OR user_login REGEXP '[a-z]{10,}';

-- Find injected options
SELECT option_name, option_value
FROM wp_options
WHERE option_value LIKE '%eval(%'
   OR option_value LIKE '%base64_decode%';

Preventing Future Attacks

Implement these protections:

Content Security Monitoring

Implement ongoing protection with these WordPress hooks:

• save_post hook - Monitor content for spam keywords when posts are saved
• Keyword detection - Check for pharmacy, casino, and other spam terms
• Logging - Record suspicious saves with post ID, user, and timestamp
• Admin alerts - Send email notifications when spam keywords are detected
• wp_redirect filter - Block redirects to known spam domains (.ru, .cn, .tk)
• Error logging - Log blocked redirect attempts for security review

Google Recovery Process

After cleaning, recover your search rankings:

• Remove spam pages and request removal in Search Console
• Update your sitemap with only legitimate URLs
• Request reconsideration if you received manual action
• Monitor Search Console for crawl errors
• Build quality backlinks to recover authority

Conclusion

SEO spam attacks damage your reputation and search visibility. Regular scanning, content monitoring, and proper security measures prevent pharma hacks from destroying your search rankings.