Security
WordPress Spam Injections: Find Every Hidden Link and Remove It
A WordPress spam injection is when an attacker plants hidden links, keywords, or redirects inside your site's files or database — usually invisible to you but perfectly readable by search engines and the bots that exploit them. The goal is to piggyback on your site's authority to rank casino, pharma, or adult content. If you catch it early, you can remove every trace, close the entry point, and recover your search rankings before Google penalises you.
What a Spam Injection Actually Looks Like
The sneaky part is that most spam injections are deliberately hidden from logged-in administrators. Attackers check for the wp_is_mobile() cookie, your logged-in status, or your referrer — and serve clean HTML to you while showing spammy content to Googlebot and random visitors. That's why so many site owners only find out from a Google Search Console warning or a client complaint.
Common symptoms to watch for:
- Google Search Console reports "Manual action" for unnatural outbound links or hacked content
- Visitors complain of being redirected to unfamiliar sites — particularly on mobile or on the first visit per session
- Your site appears in Google results with spammy page titles or Japanese/Cyrillic keywords that you never wrote
- Unexpected new pages or posts appear in the admin — sometimes hundreds of them
- Your page source (right-click → View Page Source, not the browser's inspector) contains links to pharmaceutical or gambling domains, often encoded or tucked inside a comment block
- A security plugin flags modified core files
The Three Places Spam Gets Injected
1. WordPress files
Attackers most often modify wp-config.php, theme files (functions.php in particular), or drop standalone PHP files into /wp-content/uploads/ where files are rarely audited. Injected code is typically base64-encoded, wrapped in eval(), or split across multiple lines to evade simple grep searches.
2. The database
Post content, widget HTML, and the wp_options table are all fair game. The siteurl and home values, the widget_text option, and the active_plugins serialised array are favourite targets because they affect every page on the site.
3. Rogue plugins or themes
A nulled (pirated) theme or plugin is the single most common infection vector. The malicious payload ships pre-installed inside the download and activates itself quietly. Sometimes a legitimate plugin that has been abandoned and then sold to a bad actor delivers an update containing malware — which is exactly why unmonitored auto-updates carry risk too.
Before You Do Anything: Back Up
Before touching a single file, take a complete backup — database and all files. Even an infected backup is valuable because it lets you diff before/after states and proves to your host what happened. Most managed hosts have snapshots; grab one now. If your host doesn't, use a plugin like UpdraftPlus to export to off-site storage before you start.
Step-by-Step: Finding the Injected Code
Step 1 — View your own site as a stranger would
Open an incognito window, set your browser's developer tools network tab to capture traffic, and visit your homepage. Watch for any redirect to an external domain. Then right-click → View Page Source and search (Ctrl+F) for terms like casino, viagra, eval(, base64_decode, and document.write. Anything you didn't put there is suspicious.
Step 2 — Run a remote scanner
Sucuri's free SiteCheck tool fetches your pages the same way Googlebot does and flags known malware signatures and blacklist status. It won't see server-side code, but it confirms whether anything is being served in the output. It takes 30 seconds and costs nothing.
Step 3 — Compare WordPress core files to the originals
In your host's file manager or via SSH, run:
wp core verify-checksums
This WP-CLI command compares every core file to the official checksums stored by WordPress.org and lists any that have been added, removed, or changed. Any modification to a core file is a red flag — core files should never be edited. If you don't have WP-CLI access, the Wordfence free plugin runs the same check from the admin panel under Wordfence → Scan.
Step 4 — Search files for known bad patterns
Via SSH, this command recursively searches your entire WordPress install for the most common obfuscation technique:
grep -rl "eval(base64_decode" /path/to/wordpress/
Run the same search substituting gzinflate, str_rot13, and preg_replace.*\/e — all common obfuscation patterns. Note every file path returned; you'll inspect each one.
Step 5 — Scan the database for injected links
In phpMyAdmin, open the Search tab, choose all tables, and search for fragments of a suspicious domain you found in step 1. Also search for <script in the wp_posts and wp_options tables, and for eval( in wp_options. The WP-CLI command wp db search "<suspicious-term>" does the same thing at the command line and is faster on large databases.
Removing the Injection Safely
Infected core files
Don't try to edit them — replace them. Download a fresh copy of the same WordPress version from wordpress.org, upload everything except wp-config.php and wp-content/, overwriting what's there. This is safe and takes about five minutes.
Infected theme or plugin files
If you bought or downloaded the theme/plugin legitimately, delete the entire directory and reinstall from the original source. Do not try to surgically remove one line — attackers routinely plant multiple payloads. If the theme is custom-built, you'll need to diff it carefully against your last known-clean version, which is why version control (Git) is so valuable. Any nulled plugin or theme must be deleted permanently.
Injected database content
For post content, use the Search & Replace feature in phpMyAdmin or the WP-CLI command wp search-replace "<bad-link>" "" — the latter handles serialised data safely, which phpMyAdmin's raw SQL does not. For wp_options, edit values individually in phpMyAdmin; don't run a blanket replace on that table because serialised data breaks if string lengths change.
Rogue files in /uploads/
Delete any .php file inside /wp-content/uploads/. WordPress never needs PHP files there — only image and media files belong in that folder. You can block PHP execution at the server level too (see Prevention below).
Closing the Entry Point
Removing the malware without closing the hole just means you'll be reinfected within hours. Common entry points and their fixes:
- Outdated plugins/themes/core: Update everything, then set up automatic updates for minor WordPress versions and security releases.
- Weak admin passwords or compromised credentials: Reset every WordPress user's password, rotate your hosting panel password, and enable two-factor authentication (the WP 2FA plugin works well).
- Writable
wp-config.php: Set its permissions to 600 (chmod 600 wp-config.php). - PHP execution in /uploads/: Add a small
.htaccessfile inside/wp-content/uploads/withphp_flag engine off(or the nginx equivalent) to block any uploaded scripts from running. - Unused accounts: Delete any WordPress admin accounts you don't recognise. Attackers often create their own to maintain access.
- Abandoned plugins: Remove any plugin that hasn't had an update in over 12 months — it's a liability. See our related guide on what plugins actually do to your server for context on why this matters.
After Cleanup: Getting Off Google's Blacklist
If Google flagged your site, head to Google Search Console → Security & Manual Actions → Security Issues. Once you've confirmed the malware is gone, click Request Review and describe what you found and removed. Google typically responds within a few days for automated penalties; manual actions can take a week or two. Keep your Search Console email notifications turned on so you hear about any recurrence immediately.
Prevention Going Forward
A cleaned site needs a routine to stay clean. At minimum:
- Run a reputable security plugin (Wordfence, Solid Security, or Patchstack) with file-change monitoring enabled.
- Keep daily off-site backups — not just your host's snapshots, which an attacker who compromises your hosting panel can delete.
- Audit user accounts quarterly and enforce strong password policies.
- Keep WordPress, every plugin, and every theme up to date. Consider a managed care plan if keeping up with updates isn't realistic for your schedule.
If you want that routine handled for you, Mend's $99/month Care Plan covers managed updates, daily backups, security monitoring, and uptime checks — so someone is watching even when you're not.
When to Call a Professional
If you've been through the steps above and the infection keeps returning, if you're not comfortable accessing files via SSH or phpMyAdmin, or if your site handles payments and you need certainty that nothing was left behind — don't keep guessing. A reinfection or an incomplete cleanup can make the Google penalty worse and erode visitor trust in ways that take months to repair.
Our full WordPress hack cleanup guide walks through the forensics in more detail. Or if you'd rather have a senior engineer handle it, request a free Mend diagnosis — we'll triage the infection, tell you exactly what we'd fix and what it costs, and get to work the same day. Every cleanup ships with a written report of exactly what was found and changed, and is backed by a fixed-or-your-money-back guarantee.
Frequently asked questions
Can I use a plugin to automatically remove WordPress malware?
Plugins like Wordfence and MalCare can detect and remove many known malware signatures automatically, and they're a reasonable first attempt. However, sophisticated or custom injections — especially those buried in serialised database data or disguised as normal option values — often need manual review to remove completely and safely.
Why does the spam keep coming back after I remove it?
Reinfection almost always means the attacker's entry point is still open — an outdated plugin with a known vulnerability, a backdoor file you missed, or a compromised admin password. Removing the payload without auditing and closing the entry point is like mopping the floor without fixing the leak; the malware will return within hours or days.
Will my search rankings recover after a spam injection is cleaned up?
Usually yes, but it takes time. Once you've submitted a review request in Google Search Console and any manual action or Safe Browsing warning is lifted, rankings typically recover over several weeks as Googlebot re-crawls your pages and sees clean content. Sites with long-standing or severe injections may take longer, particularly if many spammy pages were indexed.
How do attackers hide spam links from site owners?
The most common technique is conditional serving — the malicious code checks whether the visitor is a logged-in WordPress user, comes from a search engine referrer, or is using a mobile device, and only outputs the spam links under those conditions. Because site owners are almost always logged in when they browse their own site, they see clean pages while Googlebot and random visitors see the injected content.