WordPress Cloaking Attack: When Google Sees Different Content Than Visitors

What is a Cloaking Attack?

Cloaking is a deceptive technique where a website serves different content to search engine crawlers than it shows to human visitors. While cloaking itself is a violation of Google's guidelines, hackers take it further by using cloaking to hide SEO spam infections from website owners while maximizing exposure to search engines.

In a cloaking attack, your WordPress site might appear completely normal when you visit it, but Google sees pages filled with spam content, hidden links, or redirects to malicious sites. This makes detection extremely difficult without specialized tools.

How Cloaking Works Technically

User-Agent Detection

The most common method checks the user-agent string:

if (strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') !== false) {
    // Show spam content to Google
} else {
    // Show normal content to visitors
}

IP-Based Detection

Some cloaking code maintains lists of search engine IP ranges and shows spam only to those IPs.

Referrer-Based Detection

Content changes based on where the visitor came from:

• From Google search: Show normal page or redirect to spam
• Direct visit: Show normal content

Cookie-Based Detection

First-time visitors might see spam, while returning visitors (with cookies) see normal content.

Signs of a Cloaking Attack

Search Results Don't Match Your Site

Google shows titles, descriptions, or content you didn't create when you search for your site.

Traffic Drops Without Visible Changes

Your rankings drop but your site looks fine when you visit.

Google Search Console Warnings

Notifications about "cloaking" or "sneaky redirects" in Manual Actions.

Fetch as Google Shows Different Content

URL Inspection reveals content different from what you see in your browser.

Users Report Redirects

Visitors from search engines report being redirected to spam sites.

Detecting Cloaking on Your Site

Method 1: URL Inspection Tool

1. Go to Google Search Console
2. Enter your URL in the inspection tool
3. Click "View Tested Page" > "Screenshot"
4. Compare with what you see in your browser

Method 2: Change Your User-Agent

Use browser developer tools to visit your site as Googlebot:

1. Open Developer Tools (F12)
2. Go to Network Conditions
3. Change User-Agent to Googlebot
4. Reload your page

Method 3: WP Folder Shield Scanner

WP Folder Shield specifically detects cloaking code patterns in your PHP files, including:

• User-agent checking functions
• IP range comparisons
• Referrer-based conditionals
• Known cloaking script signatures

Common Cloaking Code Locations

Theme Files

header.php, footer.php, and functions.php are prime targets for cloaking injection.

wp-config.php

Code injected here runs on every page load before WordPress initializes.

Plugin Files

Inactive plugins are often modified since owners rarely check them.

.htaccess

Server-level redirects based on user-agent or referrer.

Core Files

wp-includes/general-template.php and similar files may be modified.

Removing Cloaking Malware

Step 1: Scan Everything

Use WP Folder Shield's Full Site Scanner to identify all infected files.

Step 2: Check Theme Files

Review header.php and footer.php for injected code, especially at the beginning or end of files.

Step 3: Verify Core Files

Use WP Folder Shield's Core File Protection to compare your files against WordPress.org checksums.

Step 4: Review .htaccess

Look for RewriteCond rules checking user-agents or referrers.

Step 5: Check wp-config.php

Look for any code before the opening PHP tag or at the end of the file.

Step 6: Search Database

Check wp_options for suspicious code stored in widget areas or theme options.

WP Folder Shield's Anti-Cloaking Protection

Cloaking Pattern Detection

The scanner identifies common cloaking patterns including user-agent checks, IP comparisons, and referrer conditionals.

File Integrity Monitoring

Detects modifications to core files and themes where cloaking code is typically injected.

Real-Time Protection

The firewall blocks the attack vectors used to inject cloaking code.

Root Monitoring

Detects new PHP files that might contain cloaking functionality.

Google's Response to Cloaking

Google treats cloaking as a serious violation:

• Manual actions resulting in ranking penalties
• Potential removal from search results
• Algorithmic detection and demotion

Preventing Cloaking Attacks

• Keep WP Folder Shield active for continuous monitoring
• Regularly scan your site for malware
• Monitor Google Search Console for warnings
• Keep all software updated
• Use strong passwords and 2FA
• Limit admin access

Conclusion

Cloaking attacks are designed to evade detection while maximizing damage to your SEO. The discrepancy between what you see and what Google sees makes these attacks particularly dangerous. WP Folder Shield's specialized detection capabilities help identify cloaking code that other security tools miss, protecting your site's integrity and search rankings.