The most common type of WordPress tampering today is called SEO hacks (SEO spam), and we will explain examples of SEO hacks and how to deal with them.


Symptoms and Examples of WordPress SEO Hacks

Forcibly redirecting (moving) a user who has visited your site to another site

This symptom may appear when clicking on a link on the site, or only when accessing the site via a search engine, and some types of COOKIE record the time of access and only allow the symptom to be uttered for a few hours or once a day.

The following JAVASCRIPT code is embedded in wp-config.php, index.php, header.php, footer.php, functions.php, jquery.min.js, jquery-migrate.min.js of the theme

eval(String.fromCharCode(sequence of numbers))
createElement('script'); s.type='text/javascript';

These codes are obfuscated JAVASCRIPT illegal redirect codes. They are embedded in files that must be executed by WordPress, so all pages of the site are affected.

Links to other sites that are not visible on the site

Embed a link in the header or footer of your site with an invisible element that is not displayed by the browser, such as

<div style='display:none'><a href='incorrect site URL'>string</a> <a href='incorrect site URL '>string</a>... Often 20 or more links in a row</div>.

Although these are invisible links, search engines rate sites based on the number of links and the string of links, so it is likely that such tampering is embedded to gain an SEO advantage.

Tampering with sitemaps to trap invalid pages in searches

The site map output by WordPress and plug-ins is tampered with to add a large number of invalid pages so that they will be trapped by search engines. A search for the company’s site will reveal the tampering and hijacking by pulling up a large number of unrelated and unrecognizable pages.

This tampering may not only be limited to sitemaps, but may also generate FOX-404, FOX, or random string folders on the server that actually host the malicious pages themselves.

Embedding of Affiliate Advertisements

Code is added to the theme’s header.php and footer.php, which also runs on all pages, to run and expand affiliate ads on the page in the following format.

<script src="Invalid external ad embed script URL"></script><script src="Invalid external ad embed script URL"></script URL of an external ad embed script"></script>... ...followed by 5 or more

Users visiting the site are not added by the administrator, ad pop-ups appear, ad windows open by themselves on page transitions, and redirects occur.

How to detect and address SEO hacks

SEO hacks need to occur on every page of the site, so they are often embedded in files like the one below, which is run on every page of WordPress.

wp-config.php
index.php
Theme index.php
header.php of the theme
Theme footer.php
functions.php in theme
wp-includes/js/jquery/jquery.min.js
wp-includes/js/jquery/jquery-migrate.min.js

It is also possible to use malware detection plug-ins for batch inspection and detection.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Disinfection Methods

SEO hacks are often embedded in the form of postscripts to legitimate WordPress files, so deleting the entire file will cause problems with the site display.
Please be careful to remove only the tampered parts of the file.

Reference
How to remove WordPress malware (tampering, viruses) with plug-ins

Blocking the hacker’s entry route

Since the SEO hack tampering was originally done by hackers because they were able to take over WordPress, the root cause of the hack needs to be removed.

The three main causes of WordPress hijacking and tampering are as follows
Weak passwords for administrative privileges.
Old plug-ins or vulnerabilities in WordPress itself
(Backdoors are often embedded when paid themes or plug-ins are used through sites that illegally distribute them for free.)

Review passwords for administrative privileges to plug vulnerabilities and remove the root cause as well.

Reference
5 Free WordPress Security Measures