Protecting WordPress from SEO Spam Attacks
SEO spam can destroy your search rankings and reputation. Learn how attackers inject spam and how to detect, remove, and prevent these attacks.
SEO spam attacks inject malicious content into your WordPress site to manipulate search rankings. These attacks damage your reputation, hurt your SEO, and can get your site blacklisted by search engines. Understanding how to detect and prevent SEO spam is essential.
Types of SEO Spam Attacks
1. Keyword Injection
Attackers insert hidden keywords into your pages, often for pharmaceutical, gambling, or adult content:
2. Link Injection
Spam links inserted into your content to boost other sites:
// Malicious code in theme
function inject_spam_links($content) {
$spam = 'buy stuff';
return $content . $spam;
}
add_filter('the_content', 'inject_spam_links');3. Doorway Pages
Attackers create hidden pages on your site that redirect to spam sites when accessed from search engines.
4. Cloaking
Different content shown to search engines versus regular visitors:
// Malicious cloaking detection
if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false) {
// Show spam content to search engines
include 'spam-content.php';
} else {
// Show normal content to visitors
include 'normal-content.php';
}Detecting SEO Spam
1. Google Search Console Alerts
Monitor Search Console for:
- Security issues warnings
- Manual actions penalties
- Unusual indexed pages
- Strange search queries
2. Site Search Audit
Search for spam on your site using Google:
site:yoursite.com "viagra"
site:yoursite.com "casino"
site:yoursite.com "payday loan"
site:yoursite.com inurl:".php?" (for injected pages)3. Database Scan
Search your database for spam content:
-- Find potential spam in posts
SELECT ID, post_title, post_content
FROM wp_posts
WHERE post_content LIKE '%viagra%'
OR post_content LIKE '%casino%'
OR post_content LIKE '%display:none%'
OR post_content LIKE '%position:absolute%left:-9999%';
-- Check for injected links
SELECT ID, post_content
FROM wp_posts
WHERE post_content REGEXP 'href=["''][^"'']*[.](ru|cn|tk|xyz)["'']';4. File Integrity Scan
Check theme and plugin files for modifications:
// Scan for base64 encoded content
function scan_for_spam_code($directory) {
$suspicious = array();
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($directory)
);
foreach ($iterator as $file) {
if ($file->isFile() && $file->getExtension() === 'php') {
$content = file_get_contents($file->getPathname());
if (preg_match('/evals*(|base64_decode|gzinflate/', $content)) {
$suspicious[] = $file->getPathname();
}
}
}
return $suspicious;
}Removing SEO Spam
1. Clean the Database
-- Remove spam from post content (backup first!)
UPDATE wp_posts
SET post_content = REGEXP_REPLACE(
post_content,
']*style=["''][^"'']*display:s*none[^"'']*["''][^>]*>.*? 2. Clean Files
- Restore WordPress core from fresh download
- Reinstall all plugins from official sources
- Check theme files against originals
- Review .htaccess for redirects
Preventing SEO Spam
Security Measures
// Block spam user agents
function block_spam_bots() {
$spam_bots = array(
'SemrushBot',
'AhrefsBot',
'MJ12bot',
'DotBot'
);
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
foreach ($spam_bots as $bot) {
if (stripos($user_agent, $bot) !== false) {
header('HTTP/1.1 403 Forbidden');
exit;
}
}
}
add_action('init', 'block_spam_bots', 1);Comment Spam Prevention
// Honeypot field for forms
function add_spam_honeypot($fields) {
$fields['website_url'] = '';
return $fields;
}
function check_spam_honeypot() {
if (!empty($_POST['website_url'])) {
wp_die('Spam detected');
}
}Regular Monitoring
- Weekly Google Search Console review
- Monthly site: search audit
- Automated file integrity monitoring
- Database content scanning
Conclusion
SEO spam attacks can devastate your search rankings and reputation. Regular monitoring, strong security, and quick response to infections are essential for keeping your WordPress site clean.
Written by Sarah Chen
WP Folder Shield Team
