Your site looks perfect to you — but Google is being shown something completely different: spam pages, junk keywords, or links you never created. That’s cloaking: malware that detects who’s visiting and serves one version to search engines and another to humans. We expose the cloaked content, remove the engine that switches it, and get your real pages back in front of Google.
Last updated: June 2026 · Reviewed by the FixHackedWordPress malware response team
How You’d Notice
site: search but not in your dashboardFix-First, Pay-Later Guarantee
We expose and remove the cloaking first. If we can’t, you pay nothing.
Quick Answer
Cloaking is the technique behind most stealthy SEO infections: malware inspects each request and serves different content to search-engine crawlers than to human visitors. To you and your customers the site looks clean; to Googlebot it shows spam pages, hidden links, or injected keywords. Because the bad content is reserved for crawlers, you can browse your whole site and never see it — the damage only appears in search results, and Google penalizes cloaking heavily once it’s detected.
This page is about the cloaking engine itself — the conditional code that decides who sees what. The payload it serves is usually pharma, casino/gambling, or general SEO spam; if you already know which, that page is a great companion fix. If your site instead redirects live visitors rather than swapping content, see redirect malware removal.
Crawler ≠ human
Different content served to each
Invisible
Looks clean in your browser
Penalized
Google acts hard on cloaking
$0
If we can’t fix it
The Switch
Every cloak is a conditional check run before the page renders. It profiles the visitor, and only crawlers (or specific visitors) get the spam version. These are the signals it checks.
User-Agent
The most common cloak checks the User-Agent string for search-engine crawlers and serves them keyword-stuffed content, while real browsers get the clean page.
Referrer
Some cloaks inspect the referrer, treating visitors arriving from Google differently from direct visits — so the owner, going direct, never triggers it.
IP / reverse-DNS
More advanced cloaks verify the visitor’s IP or reverse-DNS against known Googlebot ranges, making the spam even harder to reproduce by faking a User-Agent alone.
Cookie / first-visit
A cookie can show the cloaked version only once or only to new visitors, so repeat checks by the owner look perfectly normal.
Because the spam is conditional, a normal browser visit — yours included — almost never reveals it. That’s the whole point of cloaking, and why it’s so often missed.
See What Google Sees
The trick to catching a cloak is to look at your site the way a search engine does, then compare it to your normal view.
Check 1
Use “View crawled page” / “Test live URL” to see the exact HTML Googlebot received. If it contains keywords, links, or pages that aren’t in your browser view, that’s cloaking.
Check 2
Request your page with a Googlebot User-Agent and compare it to a normal request. Different output for the two is a direct sign of a User-Agent cloak.
Check 3
Run site:yourdomain.com and read the titles and snippets. Listings that don’t match your real pages — or pages you never made — are the cloaked content Google indexed.
Seeing a mismatch? Send us a URL and we’ll expose exactly what’s being served to crawlers and remove it.
The conditional “who is this?” code can sit at several layers. We find and remove the switch, not just the spam it serves.
Code in functions.php, wp-config.php, or core files that checks the User-Agent/referrer/IP and branches to the spam output — usually obfuscated.
Server-level conditions that route crawlers to cloaked pages or alternate content before WordPress even loads.
An mu-plugin or rogue plugin that runs the cloak on every request and never appears in your plugin list.
Cloaked content and switching logic stored in wp_options or post records, loaded conditionally without a visible file change.
A small stub that pulls the cloaked content from an attacker server, so what Google sees can change without touching your site.
Shells and rogue admins that re-add the cloak after a partial cleanup — see our backdoor removal page.
Methodology
Expose what’s hidden, remove the switching engine and its payload, then repair the search damage.
We fetch your pages as crawlers and from different conditions to reveal exactly what Google is being shown, and confirm which signal (UA, referrer, IP, cookie) triggers the switch.
We strip the conditional cloaking code from files, .htaccess, plugins, and the database, cut any remote loader, and delete the spam pages and links it served.
We patch the entry point, remove backdoors, rogue admins, and unauthorized Search Console owners, rotate keys, and lock down the site so the cloak can’t return.
We submit a clean sitemap, request removal/re-indexing of the cloaked URLs, and file any Google review so a cloaking penalty lifts and your real pages return.
Simple Pricing
No tiers, no upsells. One price to remove the cloak and repair your search damage.
$75 flat, to start
Complete cloak removal and recovery — one site.
Fix-first, pay-later · you only pay once it’s clean
Cloaking serves the spam version only to search engines (or specific visitors) and shows you the clean page. You’ll never see it by browsing normally; you’ll see it in Google’s crawled view of the page and in a site: search.
Cloaking is the delivery technique; SEO spam, pharma, and casino spam are the payloads it hides. This page removes the cloaking engine. If you know the payload, pair it with the matching page — pharma, casino, or SEO spam.
Yes. Cloaking swaps the content shown to crawlers vs. humans; a redirect sends visitors away to another site. If your visitors are being rerouted, start with redirect malware removal.
Google can flag or demote a site serving cloaked content regardless of who added it, which is why fast removal matters. Once the cloak is gone and the pages are recrawled, we file any review needed so the penalty lifts.
Server-side removal is typically 4–12 hours; de-indexing follows Google’s recrawl. It’s a flat $75 to start, fix-first and pay-later — you only pay once it’s clean. Send us your domain to begin.
Every day the cloak runs, Google sees spam instead of your business — and your rankings pay for it. We expose it, remove the engine, and repair the damage — and if we can’t, you pay absolutely nothing.
Flat $75 · Fix-first, pay-later