Your domain is suddenly ranking for keywords you never wrote — Japanese characters, knockoff brands, or hundreds of junk pages in Google. That’s SEO spam (spamdexing): attackers hijack your site’s hard-earned authority to rank their own content, usually cloaked so it shows only to Google. We remove every injected page, hidden link, and spam sitemap, evict unauthorized Search Console owners, then get the junk de-indexed so your rankings recover.
Last updated: June 2026 · Reviewed by the FixHackedWordPress malware response team
Signs You’ve Been Spammed
Fix-First, Pay-Later Guarantee
We remove the spam and secure your site first. If we can’t clean it, you pay nothing.
Quick Answer
SEO spam (also called spamdexing) is when attackers inject unauthorized keywords, links, or whole pages into your WordPress site to manipulate search rankings — using your domain’s existing authority to promote their own scams, counterfeit stores, or affiliate offers. Unlike a redirect hack, it usually doesn’t reroute your live visitors; the damage happens in the search results. Most of it is cloaked, served only to Googlebot, so your homepage looks perfectly normal while Google sees junk.
Removal means finding the injected content across your database (wp_posts, wp_options), files, and rogue spam sitemaps, deleting hidden links and doorway pages, removing any unauthorized Search Console owner, patching the entry point, and then getting Google to de-index the spam and recrawl your real content so rankings recover.
100s–1000s
Spam pages a single infection can generate
Cloaked
Shown to Google, hidden from you
DB + index
We clean both, not just files
$0
If we can’t fix it
See What Google Sees
Browsing your own site tells you nothing — SEO spam is built to show you a clean page while feeding junk to search engines. These checks reveal what Google actually indexed.
Check 1 — The site: search
site:yourdomain.comSearch Google for site:yourdomain.com. If you see foreign-language titles, pages for products you don’t sell, or far more results than you have real pages, those are injected spam pages Google has indexed under your name.
Check 2 — Google’s cached view
View a page the way Googlebot fetched it (URL Inspection in Search Console, or a crawler tool). If the cached/crawled version contains keywords, links, or text that aren’t on the page you see in your browser, that’s cloaked SEO spam.
Check 3 — Search Console
In Search Console, watch the Pages report for a sudden jump in indexed URLs, check Security & Manual Actions for “pure spam” or “user-generated spam,” and review Settings → Users and permissions for owners you don’t recognize.
Check 4 — Page source & sitemaps
View page source and search for off-topic outbound links or text hidden with CSS (white-on-white, display:none, off-screen positioning). Then check for unfamiliar sitemap*.xml files attackers created to fast-track spam into the index.
Found junk in any of these? Send us your domain — we’ll map exactly what’s indexed and clean it. Not sure which spam type you have? See the routing table below.
Which Spam Do You Have?
“SEO spam” is the umbrella. The cleanup is similar, but the content and recovery steps differ by type. This page covers general keyword/link injection and the Japanese keyword hack; for the specific variants below, the linked page is your faster route.
| What’s in your search results | Spam type | Get the right fix |
|---|---|---|
| Japanese/foreign titles, junk pages, hidden links to counterfeit goods | Japanese keyword hack / spam-link injection | You’re on the right page |
| Viagra / Cialis / pharmacy titles & meta | Pharma hack | Pharma hack removal |
| Casino, betting, slots, “judi” gambling keywords | Casino / gambling spam | Casino spam removal |
| Page shows one thing to you, a totally different thing to Googlebot | Cloaking (the technique itself) | Cloaking malware removal |
| Live visitors are forcibly sent to another site | Redirect malware (not SEO spam) | Redirect malware removal |
| “Deceptive site ahead” / red warning screen | Google blacklist after detection | Blacklist removal |
These rarely arrive alone — the same break-in that injects Japanese spam can also seed pharma or gambling pages and a backdoor. We scan for all of them during every SEO-spam cleanup.
Redirect malware hides in files; SEO spam hides in your database and your search index. Deleting a few spam pages in WordPress won’t touch the generator that re-creates thousands more. Here’s everywhere we look.
Thousands of auto-generated spam posts and pages — often Japanese or keyword-stuffed — injected straight into the database so they exist for Google without appearing in your menus.
Base64-encoded payloads, injected scripts, and hidden settings stored in wp_options, widget options, and theme settings that load on every page.
Outbound spam links pushed off-screen or hidden with CSS (white-on-white, zero-size, display:none) and dropped sitewide via template files so every page passes link equity to scams.
Fake sitemap*.xml files (and tampered robots.txt) attackers create and submit to Google to push thousands of junk URLs into the index as fast as possible.
Obfuscated scripts in wp-content/uploads, core folders, or a fake plugin that build cloaked spam on the fly and re-seed it after a partial cleanup.
A verification token planted in your DNS, .htaccess, or an HTML file that quietly makes the attacker a verified owner of your property — covered in detail below.
Simple Pricing
No tiers, no upsells. One price to remove the SEO spam and recover your rankings.
$75 flat, to start
Complete spam removal and search recovery — one site.
Fix-first, pay-later · you only pay once it’s clean
The step almost everyone misses
Many SEO-spam campaigns plant a Google verification token (in DNS, .htaccess, or an HTML file) so the attacker becomes a verified owner of your property. From there they submit spam sitemaps, request indexing of junk URLs, and watch your data — and if you clean the files but leave their token, they keep that access. We hunt down and revoke every rogue token and remove unauthorized owners and users as part of the cleanup.
Why deleting pages isn’t enough
Even after the spam is gone from your server, Google still has the junk URLs in its index until it recrawls. Leaving it to chance can drag rankings for weeks. We submit a clean sitemap, use removal and re-indexing requests for the worst offenders, and — where Google issued a manual action — file the security/review request so the penalty lifts and your real pages climb back.
Methodology
SEO spam is two problems: the infection on your server and the damage in Google’s index. We fix both — removing one without the other just wastes a cleanup.
We inventory every spam URL Google has indexed, compare crawled vs. live pages to expose cloaking, and trace the spam back to the generator and the entry-point vulnerability.
We remove injected posts, hidden links, doorway pages, and rogue sitemaps; sanitize wp_posts and wp_options with targeted SQL; and restore .htaccess, robots.txt, and core files to clean defaults without breaking your real content.
We revoke rogue Search Console tokens, remove unauthorized owners and admin users, delete backdoors, rotate keys, fix file permissions, and lock down uploads and login so the spam can’t regenerate.
We submit a clean sitemap, request removal/re-indexing for the worst spam URLs, and file any Google manual-action or security review so the penalty clears and your legitimate pages return to search.
Because the spam often isn’t in your files at all — it’s database records and cloaked output served only to Googlebot. A signature scanner browsing as a normal desktop visitor sees the same clean page you do, while the keyword-stuffed version is reserved for search crawlers. Confirming a clean site means checking what Google is actually served, not just what you see.
Removing visible spam posts ignores the generator that re-creates them, the backdoor that re-injects it, and the attacker’s Search Console access. Within days the junk is back — and your rankings stay buried because the spam URLs are still in Google’s index. Real recovery needs cleanup, eviction, and de-indexing together.
That’s the Japanese keyword hack, one of the most common forms of SEO spam. Attackers inject hundreds or thousands of Japanese-language pages — usually affiliate pages for counterfeit goods — so your domain ranks for their keywords. The pages are cloaked, so your homepage looks normal while the spam appears only in search results.
SEO spam is usually cloaked: the malware detects search-engine crawlers and serves them keyword-stuffed content and links, while showing human visitors the normal site. You won’t see it by browsing; you’ll see it with a site:yourdomain.com search, in Google’s crawled view of the page, or in Search Console.
No. A redirect hack reroutes your live visitors to another site. SEO spam leaves your URLs working but poisons what’s indexed — injecting spam pages and hidden links to hijack your search authority. They can co-occur from the same break-in, but they’re cleaned differently. If your visitors are being redirected, start with our redirect malware removal page.
Usually, yes — but recovery depends on de-indexing the spam, not just deleting it. Once the infection is gone, the attacker is evicted, and we submit a clean sitemap with removal/re-index requests, Google recrawls and your legitimate pages return. If a manual action was issued, rankings recover after the review is approved. Acting quickly limits how deep the penalty goes.
That’s a common SEO-spam tactic — the attacker planted a verification token to control your indexing. It must be removed along with the token (often hidden in DNS, .htaccess, or an HTML file), or they keep access even after a file cleanup. We locate and revoke every rogue token and remove unauthorized owners and users.
You can if you’re comfortable in the database, server files, robots/sitemaps, and Search Console — but SEO spam is built to evade DIY cleanups. Miss one backdoor, the generator, or the attacker’s token and it regenerates, and the indexed junk keeps dragging your rankings until it’s properly de-indexed. A professional cleanup is usually faster and safer.
Server-side cleanup is typically done within 4–12 hours; de-indexing and ranking recovery then follow Google’s recrawl timeline. We work fix-first, pay-later: we clean and secure your site first, and if we can’t remove the SEO spam, you pay nothing. Send us your domain for a quote.
Every day the spam stays indexed, your rankings sink and your domain’s reputation erodes. We clean the infection, evict the attacker, and de-index the junk — and if we can’t, you pay absolutely nothing.
100% risk-free · Fix-first, pay-later