WordPress SEO spam: what is it and how to prevent it?


Development / 8 min read

WordPress SEO spam: what is it and how to prevent it?

laptop filled with spam emails

WordPress SEO spam is one of the most common security threats for websites using this CMS. It can get your website labeled deceptive, cause your users to suffer scams, and disrupt normal functionality.

This article explores how spammers attack your website and what you can do to stop them.

What is WordPress SEO spam?

cellphone sending many emails

As you probably know by now, improving your website’s SEO leads to higher positions in search engine rankings. Better ranking leads to more visitors and better opportunities to monetize your site.

One way unscrupulous website owners game the SEO system to increase site traffic is by using blackhat SEO techniques, also known as SEO spam attacks, spamdexing, or SEO spam. These practices increase SEO ranking via malicious disruption of the websites of others. Using them, website owners increase traffic to their sites by breaching the security of other sites and redirecting traffic.

SEO spam is a very common security threat in the WordPress ecosystem. According to Sucuri’s 2021 security report, 52% of sites cleaned up with their SiteCheck scanner suffered from an SEO spam malware infection.

Types of WordPress SEO spam

laptop sending many emails

Spammy keywords

These are keywords placed on someone else’s website to get that website to rank for those specific keywords, which the spammer often uses to run scams. Spammers often introduce keywords related to pharmaceutical products like Viagra or Cialis, sportswear brands like Nike, and designer clothes or bags like Gucci.

These words may be placed on visible sections of the website, like the header, or inconspicuous locations, like an image’s alternative text.

Spammy links

Spammy links are links deceivingly placed on someone else’s website. These links direct to the website the spammer is trying to increase traffic for and may be hidden under any clickable content, such as linked text or media files.

Spammy links are called “clickjacking,” often leading unsuspecting users to malicious websites that steal personal information or run scams.

Spammy posts and pages

After gaining access to a site through backdoors, a vulnerable plugin or theme, or any other security exploit, spammers can create new posts and pages riddled with spammy keywords and links. Popular websites with extensive archives are the prime target for these tactics because their SEO score allows them to rank quickly for any keywords they post about.

Spammers use the site’s popularity to direct a large amount of traffic to their malicious site.

Spammy emails

The term “spam” initially referred to unsolicited emails that led to malicious or fraudulent sites, a practice that continues today. After gaining access to an email associated with your site, spammers send scam emails to your database.

If the members of your database trust your email address, they may click on the links in the email, potentially leading to personal information theft or fraudulent marketplaces where they’ll be ripped off. As a result, customers may collectively tag your address as spam, eventually classifying the account as spam by default.

Spammy ads, banners, and popups

Spammers may insert malicious ads, banners, and popups into your website to steal information or direct users to fraudulent sites.

Signs of a WordPress SEO spam attack

Although SEO spammers often try to be sneaky about it, and it can sometimes be hard to detect SEO spam attacks, they leave traces of their malicious activities. These are some of the most common signs of this kind of attack:

  • Google Search Console warnings. Google Search Console can detect content added without permission, deceptive page, deceptive embedded resources, links to malicious downloads, and more.
  • Malware scans detected malicious code in your website.
  • When trying to enter your site from Google, you get a “Deceptive site ahead” warning.
  • Unexpected and sudden spikes or drops in website traffic.
  • New posts, pages, ads, banners, and popups the legitimate admins didn’t add.
  • Google Transparency Report. Using the Safe Browsing feature, you can paste the URL of a website or specific webpage. The tool will tell you whether unsafe content was detected.
  • Unexpected and suspicious anchor text like “cheap Adidas shoes” or “buy Viagra.”
  • Unexpected Japanese characters in post titles and metadata (Japanese keyword hack). The Japanese characters often link to websites selling forged merchandise from well-known brands.

Consequences of WordPress SEO spam attacks

computer compromised by fraud

SEO spam attacks can significantly affect your site’s functionality and traffic. These are some of the most common ways these attacks affect your website:

  • The security breaches that allowed the spammers to manipulate your website’s content may open you to further violations. This is a common tactic used in backdoor attacks.
  • Your website may start ranking for spammy keywords instead of the keywords you’re interested in, diverting clicks away from you and potentially leading to revenue loss.
  • Time wasted trying to improve your SEO ranking while under attack.
  • Loss of reputation (and revenue), especially if users are scammed after being redirected from a spammy link inserted into your site.
  • Immediate mistrust from users if your website is flagged as “deceptive” by Google, leading to traffic and revenue loss.
  • Your web host could censor your account and site if they determine it’s being used maliciously.

How to prevent WordPress SEO spam attacks?

secure computer combating cybercrime

Updating plugins, themes, core files, and PHP

Hackers and developers are in a constant arms race. Developers constantly improve security measures, and hackers try to find new ways to crack them.

By far, the most common way a website is hacked to inject SEO spam or any other malware is through a vulnerability in a plugin. Still, they may also exploit themes, WordPress core files, and PHP versions. Keeping all your software components updated with the latest security patch will protect your website.

Stay aware of vulnerable plugins.

You should avoid plugins with known vulnerabilities or disable them until they are patched with an update. Outlets like Sucuri, iThemes, and Wordfence frequently release roundups about which plugins are vulnerable.

Install a security plugin.

Security plugins protect your website from known vulnerabilities and threats. They can remove common infection vectors and help you prevent SEO spam attacks, among many other threats. Their most common features include the following:

  • Monitoring and scanning your website for malware.
  • Spam filtering.
  • Checking SSL certificates.
  • Protecting your site from zero-day attacks.
  • Repairing and restoring hacked sites.
  • Securing the authentication process.
  • Applying firewalls.

Some popular security plugins include Sucuri, Jetpack, Wordfence, iThemes Security, All In One WP Security, and BulletProof Security.

Run regular malware scans.

Malware scanners detect common vulnerabilities like the ones used by SEO spam attackers to gain access to your site. However, remember that they can’t scan your database, user accounts, WordPress settings, or plugins, common elements often used for attacks.

That said, they are still very effective within their scope.

Harden your login

Protecting your login from hackers is one of the best ways to protect your site from attacks in general, including SEO spam. Consider taking the following measures:

  • Enforce strong and unique passwords for all admin users.
  • Customize your login URL to prevent hackers from gaining easy access to it.
  • Add two-factor authentication to the login. This is one of the most effective ways to protect your password from hacking attempts.
  • Limit failed login attempts with a plugin like Limit Login Attempts Reloaded.

Manage file permissions

Managing file permissions for the WordPress core configures, which users can read, write, and execute a file or all files in a folder. Being too strict interferes with the site, theme, and plugin performance. However, being too permissive opens you up to security threats if a user account becomes compromised.

You’ll have to find the best balance for your workflow. 

You can modify file permissions by using an FTP client like FileZilla and right-clicking on files and folders. You’ll get a list of permissions for each type of user, which you can modify. A model some admins and developers use is the following.

  • wp-config.php = 400 or 440
  • All .php files = 644
  • index.php = 644 or 444
  • wp-content folder = 755
  • wp-includes folder = 755
  • wp-content/uploads folder = 755
  • All files in general= 644
  • All folders in general = 755

However, determine whether it works for your site’s needs and make adjustments if necessary.

Restoring a website backup

This is more of a way to revert a site overrun with SEO spam attacks, but it can be an effective (if extreme) measure.

Remember that even after a restore, the original vulnerability that led to your site getting hacked may still exist, so you must also figure out what happened and solve the issue or risk being attacked again.

WordPress SEO spam attacks are common but can be prevented

Malicious owners use SEO spam attacks to direct website traffic by manipulating other websites and adding links to their own. This violates search engine guidelines and may lead to reputation loss and revenue for affected businesses.

WordPress is often the target of these attacks as the most popular CMS in the world. Still, there are security measures website owners can take to protect their sites from the common security breaches that precede SEO spam attacks.

By doing what we explained in this article, you’ll be ready to protect yourself from these attacks.