The Site Looks Normal, but Search Results Are Flooded with Product Pages and Chinese Text—Detecting and Completely Removing SEO Spam

The site looks normal, but search results are flooded with product pages or appear in Chinese—here’s an explanation of how to detect and completely remove SEO spam.

What Is SEO Spam?

If the Google search results for your company’s WordPress site are filled with a large number of unfamiliar product pages or pages in Chinese, and clicking on those links leads to your company’s domain (even if they eventually redirect to another site, this still counts as SEO spam), it is highly likely that your site has been tampered with through a hacking attack known as SEO spam.

The specific methods hackers use for SEO spam are as follows:

・Hackers exploit vulnerabilities in your site to gain permissions that allow them to overwrite databases, content, sitemaps, and other elements on your server.

・Hackers place unauthorized content on the site, alter sitemaps, or embed unauthorized links and forced redirection code into pages, causing search engines to mistake these for legitimate pages and index them

・Search results become contaminated with fraudulent pages.

・If users accidentally purchase products, their credit card information may be leaked, or they may download viruses, potentially leading to secondary damage.

How do you remove SEO spam?

To remove SEO spam, you must inspect and remove the compromised parts of your WordPress site.
The following files are commonly compromised:

index.php
Theme’s index.php
wp-config.php
Theme’s functions.php
Theme’s header.php

However, other files may also be compromised, and in many cases, hackers may have installed a “backdoor”—a type of file that allows them to freely alter server content—deep within the system. Since manually opening and inspecting each file one by one is not practical, we recommend using a dedicated plugin to comprehensively scan and remove malware from all files on your site.

[Free] WordPress: Malware Scan & Security Plugin [Malware & Virus Detection and Removal]

After removal, how long does it take for the contaminated search results to disappear and return to normal?

If the tampering has been completely removed, the contamination in most search results is often cleared within one week to one month.
However, this depends on how frequently Google crawls the site, so it is difficult to predict the exact timeframe.

Based on our experience, registering a new, cleaned-up sitemap via Search Console does not seem to significantly affect this process.

However, if only a few malicious pages appear in search results, setting those pages to be excluded from search rankings via Search Console may cause them to disappear somewhat faster.

To temporarily remove pages from search results via Search Console (URL Removal Tool)
・Log in to Search Console (search.google.com/search-console)
・Select “Indexing” → “Removal” from the left menu
・Click “New Request”
・Enter the target URL in the “Temporary Removal” tab
・Click “Next” → “Submit” to complete the process

The page will be hidden from search results for approximately 6 months. If you want to permanently exclude it, the page itself must no longer exist.

After removing malware, you must patch the vulnerabilities

Once you’ve removed the hacker’s tampering, you must first patch the vulnerability that allowed the hacker to gain access.

• Change the administrator password to a complex one automatically generated by WordPress.

• Update any vulnerable versions of WordPress core or plugins.

The affected site may not be the hacker’s only point of entry

If there are multiple sites on the server, a hacker may gain access through a different site and spread the tampering beyond the domain folder via that site.

For this reason, we recommend that you perform malware scans, removal, and vulnerability mitigation on other sites on the server as well.