VIDEO: How to find, mitigate and repair the common WordPress SEO Spam Injection Hack

Sean Hakes 0
Cal Termite Ventura CA

Hey everyone, it’s Sean Hakes here again.

Yesterday I ran across a website that at first glance, looked pretty normal but after a few minutes of review, I quickly realized this site infected with a pretty sloppy SEO Link Injection Spam Hack. In this video, I am going to show you the steps I took to identify the hack, discuss how the site most likely got hacked and how to mitigate the attack and get back in Google’s good graces. Let’s get started. The domain name is CalTermite.com.

Before I dive into the hack itself let talk about how this particular type of black hat SEO hack works. First, this type of hack is incredibly common, especially with WordPress websites. When you fail to update core files, plugins, and theme files you essentially are opening up the door for hackers. Many of these hackers leverage automation to first detect the vulnerability. After that malicious scripts are injected throughout the site file system. I’ve seen hacks like this that hide regenerative timed scripts that are hard to find and will essentially ‘re-hack’ the website even after you’ve deleted all of the malicious files and patched the site.

Back to CalTermite.com.

At first glance, this website looks pretty normal. The pages all seem to work and the site loads up fine. The first red flag to me was about halfway down the homepage where the broken shortcode is present. Now, a broken shortcode doesn’t necessarily mean a site is hacked but it does suggest problems and further investigation.

The next step I took was to evaluate what Google had indexed. To do that simply visit Google.com and enter the site colon and the domain name, in this case, it’s caltermite.com. Ouch. {Would you look at that?} That is almost 40,000 foreign pages injected into CalTermite.com.

Now, I’m going to click on the first result and see what happens. Did you see that? To the laymen, everything seems to work right? So where could the foreign text be coming from? Let me show you. This type of hack leverages cloaking.

Cloaking refers to the practice of presenting different content or URLs to human users and search engines. In this case, human users see the pest control website while Google obviously sees something completely different. Now to see what Google see’s is pretty simple. You’ll click on that little upside-down arrow next to the page and select “cached”. This is the most recent page Google crawled and stored in its index. As you can see, it’s not Cal Termite’s website, it’s a foreign eCommerce site called Hassin.

This particular hack is designed to drain PageRank or SEO Juice from, in this case, CalTerminte to this Hassin eCommerce website. You might be thinking, well this will never happen to me, I’m too small. Hackers know the small guys typically don’t have security in place and most likely don’t do regular WordPress maintenance so the fact that you’re small means you could easily be the next target.

Next, I wanted to see when the hack most likely happened so I pulled an SEM Rush report to evaluate traffic trends. I don’t know this business so I haven’t had the opportunity to ask them probing questions but it appears that this site has potentially been hacked not once, but twice. The first hack appears to have happened around August of 2020, repaired and then re-hacked in October of 2020, and has yet to be fixed.

The ultimate victim here is the unsuspecting business owner who went from having some traffic to none. In fact, with this type of hack, Google now thinks CalTermite is a Japanese eCommerce store because bot traffic has been redirected away from the original CalTermite content. How can you ensure this doesn’t happen to your WordPress website?

Make sure your core files, plugins, and theme files are always updated, and remove unused plugins and theme files. Adding additional security from someone like Securi isn’t a bad idea as well. If this does happen to you you’ll defiantly want to consult someone who has experience dealing with this type of hack otherwise it will be an endless cycle and unfortunately could be disastrous for a business that relies on search engine traffic. After the hack is removed, you’ll want to have all of the hacked pages de-indexed by Google and get the real content indexed again.

I’m really surprised Google hasn’t removed this site from its index as of yet. There you have it.

Now you know how to identify a common SEO Spam Hack and if you need help recovering and defending against one, you know someone who can help you out.

If you thought this video content was helpful, please consider joining me on Patreon where I’ll be sharing regular how-to videos to help your digital marketing adventures a little more fun. Join us today at patreon.com/wickedlyawesome.

Sean Hakes

Sean Hakes is an industry-leading SEO expert with over 19 years of experience helping some of today's largest brands online. Sean Hakes specializes in SEO Reputation Management, DMCA Takedowns, Ad Policy Violation Takedowns, Link Audits, Negative SEO Recovery, Google Penalty Recover, and more. Sean Hakes currently serves as a partner, and Chief Marketing Officer for Colorado-based, Nuclear Networking.

Leave a Reply

Your email address will not be published. Required fields are marked *