SEO Spam Attacks | NOC.org

What Are SEO Spam Attacks?

SEO spam attacks, also known as spamdexing or search engine poisoning, occur when attackers compromise a website and inject hidden content designed to manipulate search engine rankings. The attacker's goal is not to deface your site or steal data directly. Instead, they exploit your domain's existing authority and trust with search engines to rank their own content, typically promoting pharmaceutical products, counterfeit goods, gambling sites, or adult material.

These attacks are particularly insidious because they often go undetected for months. The injected content is frequently invisible to site visitors and administrators, shown only to search engine crawlers through cloaking techniques. Meanwhile, your site's reputation erodes as Google and other search engines associate your domain with spammy content.

Common Types of SEO Spam Attacks

Japanese Keyword Hack

The Japanese keyword hack is one of the most prevalent forms of SEO spam. Attackers inject thousands of pages containing auto-generated Japanese text into a compromised site. These pages typically promote counterfeit luxury goods, designer brands, or other merchandise. The pages are generated dynamically and often appear in Google Search Console as indexed URLs you never created.

Signs of a Japanese keyword hack include unexpected Japanese characters appearing in your search results, new directories or files with random names on your server, and a sudden spike in indexed pages reported by Google. The injected content often uses cloaking so that human visitors see a 404 error or are redirected, while search engine bots receive the full spam page.

Pharma Hack

The pharma hack injects content related to pharmaceutical products, particularly controlled substances like Viagra, Cialis, and other prescription medications. Attackers modify existing pages on your site by inserting hidden text, links, or conditional content that only renders for search engine crawlers. Your pages may appear normal in a browser, but when you check Google's cached version of your page, you see pharmaceutical keywords and links to rogue pharmacy sites.

Pharma hacks commonly target WordPress installations through outdated plugins, compromised themes, or weak admin credentials. The injected code is often heavily obfuscated using base64 encoding, string concatenation, or eval() calls to avoid detection by simple file scans.

Doorway Pages

Doorway pages are low-quality pages stuffed with keywords and designed solely to rank for specific search queries. Once a user clicks on the result, they are redirected to a completely different site. Attackers create hundreds or thousands of these pages on a compromised site, each targeting a different long-tail keyword phrase.

These pages typically follow a template, with only the target keyword phrase changed between pages. They may be placed in hidden subdirectories, served dynamically through modified .htaccess rules, or injected into the database of a CMS like WordPress.

Link Injection

Rather than creating entirely new pages, some attackers inject hidden links into existing pages on your site. These links point to external sites the attacker wants to boost in search rankings. The links are hidden from visitors using CSS (display:none, positioning off-screen, zero-height divs) but remain visible and followable by search engine crawlers. This technique is sometimes called link farming through compromised sites.

How Attackers Gain Access

SEO spam attacks require the attacker to have some level of access to your website. The most common entry points include:

• Vulnerable CMS plugins and themes: Outdated WordPress, Joomla, or Drupal components with known security flaws are the top attack vector. Attackers scan the internet for sites running vulnerable versions and exploit them automatically.
• Weak credentials: Brute force attacks against admin login pages, FTP accounts, or database credentials allow attackers to log in directly and plant their spam content.
• SQL injection: Vulnerabilities in custom code or plugins can allow attackers to modify database content directly, injecting spam into posts, pages, or configuration tables.
• Cross-site scripting (XSS): Stored XSS vulnerabilities can be exploited to inject persistent spam content that loads for every visitor or selectively for crawlers.
• Compromised hosting environments: Shared hosting where one compromised site allows lateral movement to other sites on the same server.

How to Detect SEO Spam

Detection is the first challenge with SEO spam because the injected content is often invisible to casual inspection. Use these methods to identify compromises:

Google Search Console

Check the "Pages" report in Google Search Console for unexpected URLs. Search for your domain in Google using site:yourdomain.com and look for pages you did not create, especially those with foreign-language content, pharmaceutical terms, or keyword-stuffed titles. The "Security Issues" report in Search Console may also flag detected spam.

Server-Side File Scanning

Scan your web files for recently modified files, especially PHP files containing obfuscated code. Look for base64_decode(), eval(), gzinflate(), str_rot13(), or preg_replace with the /e modifier. Check .htaccess files for unexpected rewrite rules that serve different content to search engine bots based on user-agent strings.

External Scanning Tools

Tools like Sucuri SiteCheck, Google Safe Browsing, and VirusTotal can identify known spam patterns on your site. These external scanners view your site the way a search engine does, potentially revealing cloaked content that you would not see in a normal browser visit. For ongoing protection, a web application firewall (WAF) can detect and block many of the attack vectors used to inject spam.

Database Inspection

For CMS-based sites, inspect your database for unexpected content. In WordPress, check the wp_posts table for posts or pages you did not create. Examine the wp_options table for modified siteurl, home, or widget values. Look at wp_users for admin accounts that should not exist.

Cleaning Up SEO Spam

Removing SEO spam requires a systematic approach:

1. Identify the entry point: Before cleaning, determine how the attacker gained access. Check server access logs for suspicious requests, review recently modified files, and audit user accounts. If you clean the spam without closing the vulnerability, the attacker will simply reinject the content.
2. Remove injected files and code: Delete any files the attacker created and remove injected code from legitimate files. Compare your files against a known-clean backup or the original CMS distribution files. Pay special attention to .htaccess, wp-config.php, index.php, and header/footer template files.
3. Clean the database: Remove spam content from database tables. For WordPress, check all post types, options, and user tables. Look for rogue cron jobs in wp_options that could re-trigger the infection.
4. Update everything: Update your CMS, all plugins, and themes to the latest versions. Remove any plugins or themes you are not actively using.
5. Reset credentials: Change all passwords including CMS admin accounts, FTP credentials, database passwords, and hosting panel logins. Revoke any unknown SSH keys.
6. Request reindexing: After cleanup, use Google Search Console to request removal of spam URLs and submit your sitemap for recrawling. Monitor the "Pages" report to confirm spam URLs are being deindexed.

Prevention

Preventing SEO spam attacks requires the same foundational security practices that protect against any website compromise:

• Keep all software updated, including CMS core, plugins, themes, and server software.
• Use strong, unique passwords and enable two-factor authentication on all admin accounts.
• Deploy a cloud-based WAF to filter malicious traffic before it reaches your server and block known exploit attempts.
• Implement file integrity monitoring to detect unauthorized changes to your files.
• Regularly audit your site's indexed pages using Google Search Console and site: searches.
• Restrict file permissions and disable PHP execution in upload directories.

Summary

SEO spam attacks are among the most common forms of website compromise, and they are specifically designed to evade detection. Attackers exploit your site's search engine authority to promote their own content, and the damage to your rankings and reputation can persist long after the spam is removed. Regular monitoring through Google Search Console, server-side scanning, and external security tools is essential for early detection. Keeping your software updated, using strong credentials, and deploying a WAF are the most effective preventive measures.

If your website has been affected by SEO spam or other security threats, NOC can help. Explore our plans to find the right level of protection for your site.